Don't use `_.template` for variable interpolation

It depends on `eval` which is unsafe.

Don't use `_.template` for variable interpolation
It depends on `eval` which is unsafe.
fa656935 · JC Brand · 4d34952e · fa656935 · fa656935 · fa656935
Commit fa656935 authored Feb 19, 2018 by JC Brand
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletion

CHANGES.md CHANGES.md +4 -0

src/converse-core.js src/converse-core.js +1 -1

src/utils.js src/utils.js +8 -0

No files found.
--- a/CHANGES.md
+++ b/CHANGES.md
 # Changelog

+## 3.3.4 (Unreleased)
+
+- Avoid `eval` (via `_.template` from lodash).
+
 ## 3.3.3 (2018-02-14)

 ### Bugfixes

--- a/src/converse-core.js
+++ b/src/converse-core.js
@@ -1862,7 +1862,7 @@
            i18n.fetchTranslations(
                _converse.locale,
                _converse.locales,
-                _.template(_converse.locales_url)({'locale': _converse.locale}))
+                u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
            .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
            .then(finishInitialization)
            .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));

--- a/src/utils.js
+++ b/src/utils.js
@@ -646,6 +646,14 @@
        return promise;
    };

+    u.interpolate = function (string, o) {
+        return string.replace(/{{{([^{}]*)}}}/g,
+            (a, b) => {
+                var r = o[b];
+                return typeof r === 'string' || typeof r === 'number' ? r : a;
+            });
+    };
+
    u.safeSave = function (model, attributes) {
        if (u.isPersistableModel(model)) {
            model.save(attributes);