* Update render.js # Improved handling of mustache expressions and v-pre attribute assignment ## Changes Made: - Ensured that the parent tag of such text nodes is explicitly set to a `<p>` tag with the `v-pre` attribute. - Added debug messages for better understanding of the script execution flow [THIS SHOULD REMOVED WHEN PUSHING TO PRODUCTION]. ## Why it Works: - When a mustache expression is found, the script either wraps it in a new `<p>` tag with the `v-pre` attribute or adds the `v-pre` attribute to the existing parent `<p>` tag. - This approach ensures that the template code is not removed but encapsulated within `<p>` tags with the `v-pre` attribute, as required. ## Test Cases Passed: 1. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>` 2. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>` 3. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</p>` 4. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</xyz></p>` 5. `<p><xyz>{{constructor.constructor('alert("Test Case 8")')()}}<xyz>{{constructor.constructor('alert("Test Case 9")')()}}</xyz></p>` This commit enhances the robustness and reliability of handling mustache expressions and ensures proper assignment of the `v-pre` attribute, to ensure that there is no room for the weaponization of the template code later in the rendering process. * fix: move template expressions after dom-purify + handle text nodes without parent --------- Co-authored-by: NGPixel <github@ngpixel.com> |
||
---|---|---|
.devcontainer | ||
.github | ||
.vscode | ||
client | ||
dev | ||
patches | ||
server | ||
.babelrc | ||
.editorconfig | ||
.eslintignore | ||
.eslintrc.yml | ||
.gitattributes | ||
.gitignore | ||
.npmrc | ||
.nvmrc | ||
config.sample.yml | ||
cypress.json | ||
LICENSE | ||
package.json | ||
README.md | ||
SECURITY.md | ||
yarn.lock |
- Official Website
- Documentation
- Requirements
- Installation
- Demo
- Changelog
- Feature Requests
- Chat with us on Slack
- Translations (We need your help!)
- E2E Testing Results
- Special Thanks
- Contribute
Follow our Twitter feed to learn about upcoming updates and new releases!
Donate
Wiki.js is an open source project that has been made possible due to the generous contributions by community backers. If you are interested in supporting this project, please consider becoming a sponsor, becoming a patron, donating to our OpenCollective, via Paypal or via Ethereum (0xe1d55c19ae86f6bcbfb17e7f06ace96bdbb22cb5
).
Gold Tier Sponsors
GitHub Sponsors
Support this project by becoming a sponsor. Your name will show up in the Contribute page of all Wiki.js installations as well as here with a link to your website! [Become a sponsor]
|
Alexander Casassovici (@alexksso) |
Broxen (@broxen) |
Dacon (@xDacon) |
![]() |
![]() |
Jay Daley (@JayDaley) |
Oleksii (@idokka) |
|
|
|
![]() |
|
|
OpenCollective Sponsors
Support this project by becoming a sponsor. Your logo will show up in the Contribute page of all Wiki.js installations as well as here with a link to your website! [Become a sponsor]
Patreon Backers
Thank you to all our patrons! 🙏 [Become a patron]
|
|
OpenCollective Backers
Thank you to all our backers! 🙏 [Become a backer]
Contributors
This project exists thanks to all the people who contribute. [Contribute].
Special Thanks
Browserstack for providing access to their great cross-browser testing tools.
Cloudflare for providing their great CDN, SSL and advanced networking services.
DigitalOcean for providing hosting of the Wiki.js documentation site and APIs.
Icons8 for providing access to their beautiful icon sets.
Localazy for providing access to their great localization service.
Lokalise for providing access to their great localization tool.
MacStadium for providing access to their Mac hardware in the cloud.
Netlify for providing hosting for our website.
ngrok for providing access to their great HTTP tunneling services.
Porkbun for providing domain registration services.