github/svgedit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

useEncodeURIComponent to add security to dynamic import

Browse Source
This commit is contained in:
jfh
2020-10-05 21:27:48 +02:00
parent d8a8869b98
commit 6d1c36b6d3
22 changed files with 30 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/editor/svgedit.js
View File

@@ -783,7 +783,7 @@ editor.init = function () {
/**
* @type {module:SVGEditor.ExtensionObject}
*/
const imported = await import(`./extensions/${extname}/${extname}.js`);
const imported = await import(`./extensions/${encodeURIComponent(extname)}/${encodeURIComponent(extname)}.js`);
const {name = extname, init} = imported.default;
return editor.addExtension(name, (init && init.bind(editor)), {$, langParam});
} catch (err) {
@@ -806,7 +806,7 @@ editor.init = function () {
/**
* @type {module:SVGEditor.ExtensionObject}
*/
const imported = await import(extPathName);
const imported = await import(encodeURI(extPathName));
const {name, init} = imported.default;
return editor.addExtension(name, (init && init.bind(editor)), {$, langParam});
} catch (err) {