Skip to content

Commit a7ccc16

Browse files
edukistoedukisto
authored
CSP: Do not highlight directive names with adjacent hyphens (#2662)
CSP tokens used `\b` to assert word boundaries but this is incorrect as CSP tokens may contain hyphens (`-`). This replaces the assertions will lookarounds that address the issue.
1 parent e01ecd0 commit a7ccc16

File tree

3 files changed

+14
-2
lines changed

3 files changed

+14
-2
lines changed

Diff for: components/prism-csp.js

+2-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@
1111

1212
Prism.languages.csp = {
1313
'directive': {
14-
pattern: /\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i,
14+
pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
15+
lookbehind: true,
1516
alias: 'keyword'
1617
},
1718
'safe': {

Diff for: components/prism-csp.min.js

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Diff for: tests/languages/csp/issue2661.test

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
default-src-is-a-fake; fake-default-src;
2+
3+
----------------------------------------------------
4+
5+
[
6+
"default-src-is-a-fake; fake-default-src;"
7+
]
8+
9+
----------------------------------------------------
10+
11+
Checks for directive names with adjacent hyphens.

0 commit comments

Comments
 (0)