Echo JS 0.11.0

<~>
sylvainpv 3101 days ago. link 2 points
You talk about the risk of code injection but it seems you don't care at all. This test for detecting serialized functions is ridiculously weak, making a XSS with this example as easy as:

let person ={
  name: 'function f(){},alert("XSS")'
};

Of course you can try to sanitize any user-inserted data, but unless you like playing russian roulette, I strongly discourage you to go that way.

Replies

adrianoprea 3100 days ago. link 1 point
You are right, that is an experiment, as I have clarified in many of the comments/discussion threads I've had on Linkedin, the blog comments section etc. But, I would never use something like that for user inserted data. If I were to ever use something like that in production, it would be for data structures that I created myself. The "person" example was the easiest to use. In the meantime, you have to sanitize everything, and you have a bigger problem if you allow your users to set names like that and you don't encode them.
As a closing thought, nothing comes out of JSON.parse when the object looks like this, besides an error that is easy to fix:

let person = {
  name: 'function f(){},alert(&quot;XSS&quot;)'
};

Cheers.