Rich-Harris/devalue

Security: SafeKey XSS

JohannesLamberts opened this issue · 2 comments

As shown in vuejs/vuex-router-sync#89 (comment) and https://codesandbox.io/s/5x2wpo27k4, devalue exposes a XSS vulnerability, when an object key contains unsafe characters.

From the issue:

I think it should be safe to use the same approach as in serialize-javascript to replace unsafe characters: https://github.com/yahoo/serialize-javascript/blob/35f64803a3a67662e16ad5260901d4e291260989/index.js#L126

Thank you for finding/fixing this — bit embarrassed about how long it went unmerged, but this is now released as 1.1.1