wiki/server at 1238d614e1599fefadd4614ee4b5797a087f50ac - wiki - Git Repository of IntenseWebs.com, IF.Finance, IWeb.City, NuKVM.org, OilfieldTools Network, Spartan International Drilling, Green Polymer Products & more

mirror of https://github.com/requarks/wiki.git synced 2025-02-25 18:55:30 -06:00

Files

Ethan 1238d614e1 Merge pull request from GHSA-xjcj-p2qv-q3rf

* Update render.js

# Improved handling of mustache expressions and v-pre attribute assignment

## Changes Made:
- Ensured that the parent tag of such text nodes is explicitly set to a `<p>` tag with the `v-pre` attribute.
- Added debug messages for better understanding of the script execution flow [THIS SHOULD REMOVED WHEN PUSHING TO PRODUCTION].

## Why it Works:
- When a mustache expression is found, the script either wraps it in a new `<p>` tag with the `v-pre` attribute or adds the `v-pre` attribute to the existing parent `<p>` tag.
- This approach ensures that the template code is not removed but encapsulated within `<p>` tags with the `v-pre` attribute, as required.

## Test Cases Passed:
1. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>`
2. `<xyz>{{ constructor.constructor('alert(1)')() }}</xyz>`
3. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</p>`
4. `<p><xyz>{{ constructor.constructor('alert(1)')() }}</xyz></p>`
5. `<p>&lt;xyz&gt;{{constructor.constructor('alert("Test Case 8")')()}}&lt;xyz&gt;{{constructor.constructor('alert("Test Case 9")')()}}&lt;/xyz&gt;</p>`

This commit enhances the robustness and reliability of handling mustache expressions and ensures proper assignment of the `v-pre` attribute, to ensure that there is no room for the weaponization of the template code later in the rendering process.

* fix: move template expressions after dom-purify + handle text nodes without parent

---------

Co-authored-by: NGPixel <github@ngpixel.com>

2024-05-13 14:57:17 -04:00