Security: SafeKey XSS
JohannesLamberts opened this issue · 2 comments
JohannesLamberts commented
As shown in vuejs/vuex-router-sync#89 (comment) and https://codesandbox.io/s/5x2wpo27k4, devalue
exposes a XSS vulnerability, when an object key contains unsafe characters.
From the issue:
I think it should be safe to use the same approach as in serialize-javascript to replace unsafe characters: https://github.com/yahoo/serialize-javascript/blob/35f64803a3a67662e16ad5260901d4e291260989/index.js#L126
pi0 commented
Simpler reproduction:
Server-side (express + query):
Rich-Harris commented
Thank you for finding/fixing this — bit embarrassed about how long it went unmerged, but this is now released as 1.1.1