Properly escape all relevant html entities
Avoid problems with files named things like '<img>' and so on.
- var name = f.replace(/"/g, '"')
+ var name = f
+ .replace(/"/g, '"')
+ .replace(/>/g, '<')
+ .replace(/</g, '>')
+ .replace(/'/g, ''')
Jesus tapdancing christ that is seriously scary to see in something that's allegedly "all totally secure now, for really reals". More so the fact that such simple sanitization was missing for so long.
Well, I guess I'll put off learning node a bit longer then.
not much more encouraging. it looks to me like patch work. ive had this in the past. would give a PoC to a client along with a recommended design change to the questionable methods of the code. they would send back a new version with a patch much like all of those linked here. in the end those patches address the PoC but not the problem. then i just rework the PoC to go around the patch. This cat-mouse game goes on until they go back, do the f'ing work, and implement the original design change suggested. I say all that just to point out that this looks like patch work and is a scary behaviour. Then again, maybe this is the nature of nodejs (omg).
Also, as a general rule:
ANY SECURITY PATCH THAT IS A REGEX IS NOT A SECURITY PATCH
> * We fixed it on February 17th
the fix scares the shit out of me:
https://github.com/isaacs/st/commit/5a0c1886737a20d78ae00b61...