/Always securely use square brackets.js
Last active Oct 2, 2019
Always securely use square brackets https://stackoverflow.com/questions/57960770/securely-set-unknown-property-mitigate-square-bracket-object-injection-attacks
| // WORK IN PROGRESS... | |
| const safeGet = (obj, key) => { | |
| if (obj[key] == null) obj[key]; | |
| if (typeof obj[key] === 'function') { | |
| throw new Error('Cannot safely get '+key+' since it a function. Use square bracket syntax to directly access instead.'); | |
| } | |
| if (Object.prototype.hasOwnProperty.call(obj, key)) { | |
| return obj[key]; | |
| } else { | |
| // This console log could be rather buggy: | |
| // console.debug('object', obj, 'has no key', key); | |
| return undefined; | |
| } | |
| }; | |
| const safeSet = (obj, key, val) => { | |
| if (typeof val === 'function') { | |
| throw new Error('Cannot safely set '+key+' - supplied value is a function. Set directly via square bracket syntax.'); | |
| } | |
| // propertyBlacklist (could be some sort of const declared at top) | |
| if (key === 'constructor' || key === 'innerHTML' || key === 'src') { | |
| throw new Error('Cannot safely set '+key+' - can lead to remote code execution'); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment