mirror of
https://github.com/servo/servo
synced 2026-05-10 17:12:23 +02:00
6b79b031fe
The previous serialization is problematic when dealing with string
argument with special characters. In addition, it was vulnerable to
injection attack like below:
```rust
let s = r#""); alert(1); //"#;
let args_string = format!("\"{}\"", s);
let script = format!("(function() {{ {}\n}})({})", "/* body */", args_string);
// script becomes: (function() { /* body */ })(""); alert(1); //")
```
Testing: Added four new tests in
[wdspec](https://web-platform-tests.org/writing-tests/wdspec.html).
Before this PR, we would get "javascript error" for the new tests, and
trigger user prompts. Now it passes. This should also fix some
testdriver tests.
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>