Sanitize sourceURL so it cannot affect evaled code (#4518)

2026-01-29 06:27:49 +00:00 · 2020-06-04 08:36:12 +02:00
parent 0cec225778
commit e7b28ea6cb
2 changed files with 15 additions and 5 deletions
--- a/test/test.js
+++ b/test/test.js
@@ -22641,6 +22641,18 @@
      assert.deepEqual(actual, expected);
    });

+    QUnit.test('should not let a sourceURL inject code', function(assert) {
+      assert.expect(1);
+
+      var actual,
+          expected = 'no error';
+      try {
+          actual = _.template(expected, {'sourceURL': '\u2028\u2029\n!this would err if it was executed!'})();
+      } catch (e) {}
+
+      assert.equal(actual, expected);
+    });
+
    QUnit.test('should work as an iteratee for methods like `_.map`', function(assert) {
      assert.expect(1);