kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-04-22 19:23:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix($parse): forbid __proto__ properties in angular expressions

Browse Source 
__proto__ can be used to mess with global prototypes and it's
deprecated. Therefore, blacklisting it seems like a good idea.

BREAKING CHANGE:
The (deprecated) __proto__ propery does not work inside angular expressions
anymore.
This commit is contained in:
Jann Horn
2014-06-09 00:03:50 +02:00
committed by Igor Minar
parent 89ca859734
commit cb713e6045
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/ng/parse.js
View File

@@ -43,6 +43,9 @@ function ensureSafeMemberName(name, fullExpression) {
throw $parseMinErr('isecgetset',
'Defining and looking up getters and setters in Angular expressions is disallowed! '
+'Expression: {0}', fullExpression);
} else if (name === "__proto__") {
throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+'Expression: {0}', fullExpression);
}
return name;
}
@@ -713,6 +716,10 @@ Parser.prototype = {
i = indexFn(self, locals),
v, p;
if (i === "__proto__") {
throw $parseMinErr('isecproto', 'Using __proto__ in Angular expressions is disallowed! '
+'Expression: {0}', parser.text);
}
if (!o) return undefined;
v = ensureSafeObject(o[i], parser.text);
if (v && v.then && parser.options.unwrapPromises) {

16
test/ng/parseSpec.js
View File

@@ -1106,6 +1106,22 @@ describe('parser', function() {
});
});
describe('__proto__', function() {
it('should NOT allow access to __proto__', function() {
expect(function() {
scope.$eval('{}.__proto__.foo = 1');
}).toThrowMinErr(
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
' Expression: {}.__proto__.foo = 1');
expect(function() {
scope.$eval('{}["__pro"+"to__"].foo = 1');
}).toThrowMinErr(
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
' Expression: {}["__pro"+"to__"].foo = 1');
});
});
describe('constant', function() {
it('should mark scalar value expressions as constant', inject(function($parse) {