Home Esplora Aiuto
Registrati Accedi
im-changing.ru
/
converse.js
mirror da https://github.com/conversejs/converse.js.git
2
0
Forka 0
File Problemi 0 Wiki
Sfoglia il codice sorgente

Don't use `_.template` for variable interpolation

It depends on `eval` which is unsafe.
JC Brand 7 anni fa
parent
4d34952eae
commit
fa6569352c
3 ha cambiato i file con 13 aggiunte e 1 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 4 0
      CHANGES.md
  2. 1 1
      src/converse-core.js
  3. 8 0
      src/utils.js

+ 4 - 0
CHANGES.md
Vedi File 

@@ -1,5 +1,9 @@
 
 # Changelog
 
 
+## 3.3.4 (Unreleased)
 
+
 
+- Avoid `eval` (via `_.template` from lodash).
 
+
 
 ## 3.3.3 (2018-02-14)
 
 
 ### Bugfixes

+ 1 - 1
src/converse-core.js
Vedi File 

@@ -1862,7 +1862,7 @@
 
             i18n.fetchTranslations(
 
                 _converse.locale,
 
                 _converse.locales,
 
-                _.template(_converse.locales_url)({'locale': _converse.locale}))
 
+                u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
 
             .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
 
             .then(finishInitialization)
 
             .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));

+ 8 - 0
src/utils.js
Vedi File 

@@ -646,6 +646,14 @@
 
         return promise;
 
     };
 
 
+    u.interpolate = function (string, o) {
 
+        return string.replace(/{{{([^{}]*)}}}/g,
 
+            (a, b) => {
 
+                var r = o[b];
 
+                return typeof r === 'string' || typeof r === 'number' ? r : a;
 
+            });
 
+    };
 
+
 
     u.safeSave = function (model, attributes) {
 
         if (u.isPersistableModel(model)) {
 
             model.save(attributes);