From 70e4c53050b2db7c0744bba1b51bfa96edd2a526 Mon Sep 17 00:00:00 2001
From: Jason Miller
Date: Mon, 12 Sep 2022 10:51:34 -0400
Subject: [PATCH] Ignore non-VNode objects during rendering
This fixes #245.
---
src/index.js | 3 +++
src/pretty.js | 3 +++
test/jsx.test.js | 4 ++++
test/pretty.test.js | 6 ++++++
test/render.test.js | 4 ++++
5 files changed, 20 insertions(+)
diff --git a/src/index.js b/src/index.js
index 9892d218..206a1d67 100644
--- a/src/index.js
+++ b/src/index.js
@@ -210,6 +210,9 @@ function _renderToString(vnode, context, isSvgMode, selectValue, parent) {
return rendered;
}
+ // VNodes have {constructor:undefined} to prevent JSON injection:
+ if (vnode.constructor !== undefined) return '';
+
vnode[PARENT] = parent;
if (options[DIFF]) options[DIFF](vnode);
diff --git a/src/pretty.js b/src/pretty.js
index 4d85cbc7..de7e66d3 100644
--- a/src/pretty.js
+++ b/src/pretty.js
@@ -53,6 +53,9 @@ export function _renderToStringPretty(
return rendered;
}
+ // VNodes have {constructor:undefined} to prevent JSON injection:
+ if (vnode.constructor !== undefined) return '';
+
let nodeName = vnode.type,
props = vnode.props,
isComponent = false;
diff --git a/test/jsx.test.js b/test/jsx.test.js
index 733ebaf4..e2969835 100644
--- a/test/jsx.test.js
+++ b/test/jsx.test.js
@@ -163,4 +163,8 @@ describe('jsx', () => {
`);
});
+
+ it('should prevent JSON injection', () => {
+ expect(renderJsx({{ hello: 'world' }}
)).to.equal('');
+ });
});
diff --git a/test/pretty.test.js b/test/pretty.test.js
index 5c6b4410..9ddfecd1 100644
--- a/test/pretty.test.js
+++ b/test/pretty.test.js
@@ -222,4 +222,10 @@ describe('pretty', () => {
`);
});
+
+ it('should prevent JSON injection', () => {
+ expect(prettyRender({{ hello: 'world' }}
)).to.equal(
+ ''
+ );
+ });
});
diff --git a/test/render.test.js b/test/render.test.js
index 3783569c..0ca58827 100644
--- a/test/render.test.js
+++ b/test/render.test.js
@@ -1260,4 +1260,8 @@ describe('render', () => {
''
);
});
+
+ it('should prevent JSON injection', () => {
+ expect(render({{ hello: 'world' }}
)).to.equal('');
+ });
});