Skip to content

Do not extract candidates containing JS string interpolation pattern ${ #17142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RobinMalfait merged 3 commits into from
Mar 12, 2025
Merged

Do not extract candidates containing JS string interpolation pattern ${ #17142

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
787d951
add failing tests
RobinMalfait Mar 12, 2025
cc322e4
throw out values when `${` pattern occurs
RobinMalfait Mar 12, 2025
3e5fe97
update changelog
RobinMalfait Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
throw out values when ${ pattern occurs 
If this occurs inside of strings then it's fine but everywhere else it's
thrown out.

Technically you can set it in the value of a CSS variable, but I think
guarding against that is only needed if somebody actually runs into
problems with this.
  • Loading branch information
@RobinMalfait
RobinMalfait committed Mar 12, 2025
commit cc322e460664f2a09c26f54347bde66b6019897a
8 changes: 8 additions & 0 deletions crates/oxide/src/extractor/arbitrary_property_machine.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,11 @@ impl Machine for ArbitraryPropertyMachine<ParsingValueState> {
// URLs are not allowed
Class::Slash if start_of_value_pos == cursor.pos => return self.restart(),

// String interpolation-like syntax is not allowed. E.g.: `[${x}]`
Class::Dollar if matches!(cursor.next.into(), Class::OpenCurly) => {
return self.restart()
}

// Everything else is valid
_ => cursor.advance(),
};
Expand Down Expand Up @@ -276,6 +281,9 @@ enum Class {
#[bytes(b'-')]
Dash,

#[bytes(b'$')]
Dollar,

#[bytes_range(b'a'..=b'z')]
AlphaLower,

Expand Down
8 changes: 8 additions & 0 deletions crates/oxide/src/extractor/arbitrary_value_machine.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,11 @@ impl Machine for ArbitraryValueMachine {
// Any kind of whitespace is not allowed
Class::Whitespace => return self.restart(),

// String interpolation-like syntax is not allowed. E.g.: `[${x}]`
Class::Dollar if matches!(cursor.next.into(), Class::OpenCurly) => {
return self.restart()
}

// Everything else is valid
_ => cursor.advance(),
};
Expand Down Expand Up @@ -133,6 +138,9 @@ enum Class {
#[bytes(b' ', b'\t', b'\n', b'\r', b'\x0C')]
Whitespace,

#[bytes(b'$')]
Dollar,

#[fallback]
Other,
}
Expand Down
8 changes: 8 additions & 0 deletions crates/oxide/src/extractor/arbitrary_variable_machine.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,11 @@ impl Machine for ArbitraryVariableMachine<ParsingFallbackState> {
// Any kind of whitespace is not allowed
Class::Whitespace => return self.restart(),

// String interpolation-like syntax is not allowed. E.g.: `[${x}]`
Class::Dollar if matches!(cursor.next.into(), Class::OpenCurly) => {
return self.restart()
}

// Everything else is valid
_ => cursor.advance(),
};
Expand Down Expand Up @@ -284,6 +289,9 @@ enum Class {
#[bytes(b'.')]
Dot,

#[bytes(b'$')]
Dollar,

#[bytes(b'\\')]
Escape,

Expand Down