Skip to content

Instantly share code, notes, and snippets.

@ichernev
Last active January 18, 2024 11:31
Show Gist options
  • Save ichernev/e277bcd1f0eeabb834f60a777237925a to your computer and use it in GitHub Desktop.
Save ichernev/e277bcd1f0eeabb834f60a777237925a to your computer and use it in GitHub Desktop.

Moment 2.30.0

Bugfixes

  • #6128 [feature] Graceful handling of undefined locale name
  • #5554 [bugfix] Handle invalid mutations
  • #6193 [bugfix] weekyear setter handle dow
  • #5592 [bugfix] Stricter single digit date parsing
  • #5827 [bugfix] ts: toISOString function also return null
  • #5607 [bugfix] unify duration.valueOf and asMilliseconds

New Locales

  • #5949 [new locale] ku-kmr: Kurdish (Northern Kurdish)
  • #5190 [new locale] ar-ps: Arabic (Palestine)

Locale improvements

  • #6191 [locale] cs: Improve month names
  • #5772 [locale] bs: Add author
  • #5748 [locale] bs: Improve relative minute
  • #6067 [locale] nl, nl-be: Fix erroneous regex anchoring
  • #5790 [locale] nb: Fixed typo in relative times

Misc

  • #5718 [misc] Use switch-case for better get-set performance (#2659)
  • #5778 [misc] fix min/moment-with-locales typing
  • #5581 [misc] speedup month & era locale handling
  • #6086 [misc] Update contributing doc
  • #6055 [misc] refactor unit aliases and priorities
@dinapavlyukovich
Copy link

dinapavlyukovich commented Jan 18, 2024

Result message: This replaces only the first occurrence of '\'.

Snippet:

function unescapeFormat(s) {
        return regexEscape(
            s
                .replace('\\', '')
                .replace(
                    /\\(\[)|\\(\])|\[([^\]\[]*)\]|\\(.)/g,

Rule name: js/incomplete-sanitization

Rule short description: Incomplete string escaping or encoding

Rule full description: A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective.

Hello, can I ask you about this regular expression in your function?

The vulnerability in this case is that the unescapeFormat() function removes only the first occurrence of the backslash character (). This means that other occurrences of the character may be left unescaped, which could lead to unexpected consequences when interpreting the string.

Possible consequences of the vulnerability:

Injection attacks (eg, SQL injection, cross-site scripting) if user input is used in queries or HTML without proper escaping.
Misinterpretation of string literals or regular expressions due to unescaped backslashes.

How critical is this? If yes, will there be a fix in the next version? If not, please help me understand why.

@dinapavlyukovich
Copy link

dinapavlyukovich commented Jan 18, 2024

Can we do this fix in our project?

function unescapeFormat(s) {
        return regexEscape(
            s
                .replace(/\\/g, '')
                .replace(
                    /\\(\[)|\\(\])|\[([^\]\[]*)\]|\\(.)/g,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment