Merge branch 'master' into cut-size-in-half

developit · developit · commit a5607e400501 · 2018-08-01T17:41:39.000-04:00
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "preact-render-to-string",
   "amdName": "preactRenderToString",
-  "version": "3.7.0",
+  "version": "3.7.2",
   "description": "Render JSX to an HTML string, with support for Preact components.",
   "main": "dist/index.js",
   "umd:main": "dist/index.js",
diff --git a/src/index.js b/src/index.js
@@ -113,6 +113,9 @@ export default function renderToString(vnode, context, opts, inner, isSvgMode) {
 			let name = attrs[i],
 				v = attributes[name];
 			if (name==='children') continue;
+
+			if (name.match(/[\s\n\/='"\0<>]/)) continue;
+
 			if (!(opts && opts.allAttributes) && (name==='key' || name==='ref')) continue;
 
 			if (name==='className') {
@@ -156,6 +159,7 @@ export default function renderToString(vnode, context, opts, inner, isSvgMode) {
 	else if (pretty && ~s.indexOf('\n')) s += '\n';
 
 	s = `<${nodeName}${s}>`;
+	if (String(nodeName).match(/[\s\n\/='"\0<>]/)) throw s;
 
 	if (VOID_ELEMENTS.indexOf(nodeName)>-1) {
 		s = s.replace(/>$/, ' />');
diff --git a/test/render.js b/test/render.js
@@ -56,6 +56,45 @@ describe('render', () => {
 			expect(render(<div foo={0} />)).to.equal(`<div foo="0"></div>`);
 		});
 
+		describe('attribute name sanitization', () => {
+			it('should omit attributes with invalid names', () => {
+				let rendered = render(h('div', {
+					'<a': '1',
+					'a>': '1',
+					'foo"bar': '1',
+					'"hello"': '1'
+				}));
+				expect(rendered).to.equal(`<div></div>`);
+			});
+
+			it('should mitigate attribute name injection', () => {
+				let rendered = render(h('div', {
+					'></div><script>alert("hi")</script>': '',
+					'foo onclick': 'javascript:alert()',
+					a: 'b'
+				}));
+				expect(rendered).to.equal(`<div a="b"></div>`);
+			});
+
+			it('should allow emoji attribute names', () => {
+				let rendered = render(h('div', {
+					'a;b': '1',
+					'a🧙‍b': '1'
+				}));
+				expect(rendered).to.equal(`<div a;b="1" a🧙‍b="1"></div>`);
+			});
+		});
+
+		it('should throw for invalid nodeName values', () => {
+			expect(() => render(h('div'))).not.to.throw();
+			expect(() => render(h('x-💩'))).not.to.throw();
+			expect(() => render(h('a b'))).to.throw(/<a b>/);
+			expect(() => render(h('a\0b'))).to.throw(/<a\0b>/);
+			expect(() => render(h('a>'))).to.throw(/<a>>/);
+			expect(() => render(h('<'))).to.throw(/<<>/);
+			expect(() => render(h('"'))).to.throw(/<">/);
+		});
+
 		it('should collapse collapsible attributes', () => {
 			let rendered = render(<div class="" style="" foo={true} bar />),
 				expected = `<div class style foo bar></div>`;

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "preact-render-to-string",`
`3`	`3`	`"amdName": "preactRenderToString",`
`4`		`- "version": "3.7.0",`
	`4`	`+ "version": "3.7.2",`
`5`	`5`	`"description": "Render JSX to an HTML string, with support for Preact components.",`
`6`	`6`	`"main": "dist/index.js",`
`7`	`7`	`"umd:main": "dist/index.js",`