Skip to content

Generate placeholder regexp with a uid for safety #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 27, 2015
Merged

Generate placeholder regexp with a uid for safety #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 17 additions & 16 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ See the accompanying LICENSE file for terms.

var isRegExp = require('util').isRegExp;

module.exports = serialize;
// Generate an internal UID to make the regexp pattern harder to guess.
var UID = Math.floor(Math.random() * 0x10000000000).toString(16);
var PLACE_HOLDER_REGEXP = new RegExp('"@__(FUNCTION|REGEXP)-' + UID + '-(\\d+)__@"', 'g');

var IS_NATIVE_CODE_REGEX = /\{\s*\[native code\]\s*\}/g,
PLACE_HOLDER_REGEX = /"@__(FUNCTION|REGEXP)_(\d+)__@"/g,
UNSAFE_CHARS_REGEX = /[<>\/\u2028\u2029]/g;
var IS_NATIVE_CODE_REGEXP = /\{\s*\[native code\]\s*\}/g;
var UNSAFE_CHARS_REGEXP = /[<>\/\u2028\u2029]/g;

// Mapping of unsafe HTML and invalid JavaScript line terminator chars to their
// Unicode char counterparts which are safe to use in JavaScript strings.
Expand All @@ -31,21 +32,21 @@ var UNICODE_CHARS = {
// `JSON.stringify()` `space` option to a truthy value.
var SPACE = 2;

function serialize(obj) {
var functions = [],
regexps = [],
str;
module.exports = function serialize(obj) {
var functions = [];
var regexps = [];
var str;

// Creates a JSON string representation of the object and uses placeholders
// for functions and regexps (identified by index) which are later
// replaced.
str = JSON.stringify(obj, function (key, value) {
if (typeof value === 'function') {
return '@__FUNCTION_' + (functions.push(value) - 1) + '__@';
return '@__FUNCTION-' + UID + '-' + (functions.push(value) - 1) + '__@';
}

if (typeof value === 'object' && isRegExp(value)) {
return '@__REGEXP_' + (regexps.push(value) - 1) + '__@';
return '@__REGEXP-' + UID + '-' + (regexps.push(value) - 1) + '__@';
}

return value;
Expand All @@ -60,7 +61,7 @@ function serialize(obj) {
// Replace unsafe HTML and invalid JavaScript line terminator chars with
// their safe Unicode char counterpart. This _must_ happen before the
// regexps and functions are serialized and added back to the string.
str = str.replace(UNSAFE_CHARS_REGEX, function (unsafeChar) {
str = str.replace(UNSAFE_CHARS_REGEXP, function (unsafeChar) {
return UNICODE_CHARS[unsafeChar];
});

Expand All @@ -71,15 +72,15 @@ function serialize(obj) {
// Replaces all occurrences of function and regexp placeholders in the JSON
// string with their string representations. If the original value can not
// be found, then `undefined` is used.
return str.replace(PLACE_HOLDER_REGEX, function (match, type, index) {
return str.replace(PLACE_HOLDER_REGEXP, function (match, type, valueIndex) {
if (type === 'REGEXP') {
return regexps[index].toString();
return regexps[valueIndex].toString();
}

var fn = functions[index],
serializedFn = fn.toString();
var fn = functions[valueIndex];
var serializedFn = fn.toString();

if (IS_NATIVE_CODE_REGEX.test(serializedFn)) {
if (IS_NATIVE_CODE_REGEXP.test(serializedFn)) {
throw new TypeError('Serializing native function: ' + fn.name);
}

Expand Down