Closed mozfreddyb closed 6 years ago
I don't see any obvious concerns, can we ensure that the following fails:
(() => {this.eval("alert(1)");})();
Especially as use of a top level arrow can be common:
<script>
document.body.addEventListener("click", () => {
this.eval("alert(1)");
});
</script>
I know we took the stance to avoid obfuscation however I think this could be a risk, especially for the more generic cases that we allow customisation for.
The other concern is window callbacks:
window.addEventListener("focus", function () {
this.eval("alert(1)");
});
We don't disallow eval
, so assuming you're thinking of another bad function like insertAdjacentHTML
.
We do disallow this.insertAdjacentHTML()
and this().insertAdjacentHTML
.
Added some tests for the review comment :)
This is great, will merge when Travis is happy :).
Hey @jonathanKingston can you take a look? I think ThisExpressions pose no risk, but I'd like a second pair of eyes on this.