"invalid group specifier name" error in Safari after upgrade to 1.0.12

[scottohara]

We use xss in one of our front-end applications (bundled using webpack).

After recently upgrading from v1.0.11 to v1.0.12, our production error monitoring service started reporting occurrences of the following error:

SyntaxError: Invalid regular expression: invalid group specifier name

On further investigation we found that it was only impacting Safari users. Downgrading back to v1.0.11 resolves the issue.

We hope to follow up this issue with an example that demonstrates the error; but in the meantime we wanted to make you aware of the issue in case you may already have an idea which of the four fix: commits that went into v1.0.12 could be causing this.

[scottohara]

The following HTML will demonstrate the issue:

<!DOCTYPE html>
<html>
  <head>
    <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
  </head>
</html>

Steps to reproduce:

1. Save the above HTML to a file
2. Launch Chrome and Safari
3. Open the browser consoles in both browsers
4. Navigate to the HTML file
5. Note that in Chrome there are no errors/warnings
6. Note that in Safari, the "invalid group specifier name" occurs

I hope this helps.

[bahung1221]

+1, same issue on safari

[stangao]

+1, same issue on safari

[sashkomatviychuk]

I have the same issue with graphql/graphql-playground package during running the tests

[leizongmin]

Hi all, I am very sorry to heard that. This problem was introduced in this MR https://github.com/leizongmin/js-xss/pull/257 . I have just revert this commit and released a new version xss@1.0.13. You can try this new version.

[scottohara]

Thanks for the quick response @leizongmin. I can confirm that v1.0.13 no longer has the issue in Safari.

Much appreciated. 🎉

[yuningjiang123]

这个改动成功让我们项目首页白屏了 差点要记大过 😭