fix(ssr): address possible xss vector

yyx990803 · yyx990803 · commit 5091e2c98476 · 2017-08-29T16:42:54.000+02:00
diff --git a/src/platforms/web/server/modules/attrs.js b/src/platforms/web/server/modules/attrs.js
@@ -50,7 +50,7 @@ export function renderAttr (key: string, value: string): string {
   } else if (isEnumeratedAttr(key)) {
     return ` ${key}="${isFalsyAttrValue(value) || value === 'false' ? 'false' : 'true'}"`
   } else if (!isFalsyAttrValue(value)) {
-    return ` ${key}="${typeof value === 'string' ? cachedEscape(value) : value}"`
+    return ` ${key}="${cachedEscape(String(value))}"`
   }
   return ''
 }
diff --git a/test/ssr/ssr-string.spec.js b/test/ssr/ssr-string.spec.js
@@ -821,6 +821,19 @@ describe('SSR: renderToString', () => {
     })
   })
 
+  it('should prevent script xss with v-bind object syntax + array value', done => {
+    renderVmWithOptions({
+      data: {
+        test: ['"><script>alert(1)</script><!--"']
+      },
+      template: `<div v-bind="{ test }"></div>`
+    }, res => {
+      console.log(res)
+      expect(res).not.toContain(`<script>alert(1)</script>`)
+      done()
+    })
+  })
+
   it('v-if', done => {
     renderVmWithOptions({
       template: `

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ export function renderAttr (key: string, value: string): string {`
`50`	`50`	`} else if (isEnumeratedAttr(key)) {`
`51`	`51`	return ` ${key}="${isFalsyAttrValue(value) \|\| value === 'false' ? 'false' : 'true'}"`
`52`	`52`	`} else if (!isFalsyAttrValue(value)) {`
`53`		- return ` ${key}="${typeof value === 'string' ? cachedEscape(value) : value}"`
	`53`	+ return ` ${key}="${cachedEscape(String(value))}"`
`54`	`54`	`}`
`55`	`55`	`return ''`
`56`	`56`	`}`