Conversation
🦋 Changeset detectedLatest commit: 4e8ba83 The changes in this PR will be included in the next version bump. This PR includes changesets to release 30 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } = new Function(${JSON.stringify(sanitizedPublicPath)})()`; | ||
| } else { | ||
| code = `(${this._getPublicPath})()`; | ||
| code = `${ |
There was a problem hiding this comment.
@ScriptedAlchemy hey , i see this just call the function before , not sure whether you forget add webpackRequire.p = function(){} or you want to users pass getPublicPath and assign by themself like getPublicPath: function(){ webpackRequire.p = 'https://' }
There was a problem hiding this comment.
originally i had implemented it with the ability to accept arguments, but i think you were concerned about backward compat, so we did not add arguments to the function call. But originally i had intended for this capability to exist, and removed it after you raised some concern many months ago
|
Stale pull request message |
2heal1
force-pushed
the
fix/rspack-getpublicpath
branch
3 times, most recently
from
522f3ec to
d916eed
Compare
2heal1
force-pushed
the
fix/rspack-getpublicpath
branch
from
d916eed to
c13b942
Compare
| code = `${ | ||
| compiler.webpack.RuntimeGlobals.publicPath | ||
| } = new Function(${JSON.stringify(this._getPublicPath)})()`; | ||
| } = new Function(${JSON.stringify(sanitizedPublicPath)})()`; |
Check warning
Code scanning / CodeQL
Improper code sanitization Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that the sanitizedPublicPath is properly sanitized before being used in the dynamic code execution. We can enhance the escapeUnsafeChars function to cover a broader range of potentially dangerous characters and sequences. Additionally, we should ensure that the sanitizedPublicPath is properly escaped before being passed to JSON.stringify.
- Enhance the
escapeUnsafeCharsfunction to cover more potentially dangerous characters. - Use the enhanced
escapeUnsafeCharsfunction to sanitizethis._getPublicPath. - Ensure that the sanitized value is properly escaped before being used in dynamic code execution.
| @@ -20,3 +20,3 @@ | ||
| function escapeUnsafeChars(str: string) { | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\]/g, (x) => charMap[x]); | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\]/g, (x) => charMap[x]).replace(/['"]/g, (x) => '\\' + x); | ||
| } | ||
| @@ -40,3 +40,3 @@ | ||
| compiler.webpack.RuntimeGlobals.publicPath | ||
| } = new Function(${JSON.stringify(sanitizedPublicPath)})()`; | ||
| } = new Function(${JSON.stringify(escapeUnsafeChars(sanitizedPublicPath))})()`; | ||
| } else { |
2 participants
Description
rspack plugin support getPublicPath
Related Issue
Types of changes
Checklist