Tags: requarks/wiki
Tags
Merge pull request from GHSA-xjcj-p2qv-q3rf * Update render.js # Improved handling of mustache expressions and v-pre attribute assignment ## Changes Made: - Ensured that the parent tag of such text nodes is explicitly set to a `<p>` tag with the `v-pre` attribute. - Added debug messages for better understanding of the script execution flow [THIS SHOULD REMOVED WHEN PUSHING TO PRODUCTION]. ## Why it Works: - When a mustache expression is found, the script either wraps it in a new `<p>` tag with the `v-pre` attribute or adds the `v-pre` attribute to the existing parent `<p>` tag. - This approach ensures that the template code is not removed but encapsulated within `<p>` tags with the `v-pre` attribute, as required. ## Test Cases Passed: 1. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>` 2. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>` 3. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</p>` 4. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</xyz></p>` 5. `<p><xyz>{{constructor.constructor('alert("Test Case 8")')()}}<xyz>{{constructor.constructor('alert("Test Case 9")')()}}</xyz></p>` This commit enhances the robustness and reliability of handling mustache expressions and ensures proper assignment of the `v-pre` attribute, to ensure that there is no room for the weaponization of the template code later in the rendering process. * fix: move template expressions after dom-purify + handle text nodes without parent --------- Co-authored-by: NGPixel <[email protected]>
PreviousNext