Open hundan2020 opened 5 years ago
非常感谢你的反馈!不过,这个工具是用来进行JSON格式化的,如果本身就不是一个JSON,再好的工具其实也没法格式化出来。如果工具需要升级的话,也是在格式化之前,做一个JSON合法性校验。
i got your point, and there is some supplementary explanation
the first poc i sent was executed manually, in fact, i mean, the code will execute automaticly , look at this new poc
{
"a":(function(){
confirm(1)
})()
}
now i open the chrome extension, you can see the source code, and the code was executed.
Got ~ 我做个兼容吧
Btw:这种情况,应该用这个工具更加合适:https://www.baidufe.com/fehelper/codebeautify.html
Hi, is there a fix for CVE-2019-12966? If so, in what commit?
thanks in advance!
poc:
when the web with single js content, it may result code execution. (it shouldn't be executed when broswe a single js file without any html tag).
I discovered the insecure code in
https://github.com/zxlie/FeHelper/blob/master/apps/json-format/automatic.js
, line 199 to line 206additionally, I understand the code is compatibilized for bad json content like
{a:1}
, but as a result, it's insecure.