fix(utils): improve robustness of frame messenger and string processing#5082
Open
RinZ27 wants to merge 2 commits intodequelabs:developfrom
Open
fix(utils): improve robustness of frame messenger and string processing#5082RinZ27 wants to merge 2 commits intodequelabs:developfrom
RinZ27 wants to merge 2 commits intodequelabs:developfrom
Conversation
I switched to Object.create(null) for the channel store and added explicit checks for restricted keys like __proto__ to ensure robust cross-frame communication.
- Escaped property names in process-message to prevent regex injection and logic errors. - Added vbscript: and file: to ignored URL schemes in getFriendlyUriEnd. - Hardened channelId validation in channel-store to avoid potential hijacking. - Improved crypto detection in uuid.js to support Node.js and Web Workers safely.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Strengthening the robustness of internal utilities ensures better stability across different environments. While reviewing the core library, I noticed several areas where string processing and frame communication could be more resilient against unexpected input.
Addressing potential logic errors in
process-message.js, this update introduces proper regex escaping for property names. I encountered a case where special characters in metadata could interfere with the template substitution, so centralizing the escaping logic was a priority.Updating the frame messenger's
channel-store.jsadds a necessary layer of validation forchannelId. Ensuring only string identifiers are processed helps maintain the integrity of communication channels between frames. Additionally, I modifieduuid.jsto safely detect thecryptoAPI, preventing crashes in environments wherewindowis unavailable, such as Node.js or Web Workers.Refining
get-friendly-uri-end.jsextends the ignored schemes to includevbscript:andfile:. These changes collectively improve the engine's correctness when handling diverse URI formats in a security-conscious manner.Validation of these fixes was performed locally to confirm that the existing test suite remains stable and the reported edge cases are now correctly handled.