From a7ccc16dd259e4f3dbc46f2e5cee49c8b6596e5c Mon Sep 17 00:00:00 2001 From: edukisto <52005215+edukisto@users.noreply.github.com> Date: Mon, 30 Nov 2020 21:14:26 +0300 Subject: [PATCH] CSP: Do not highlight directive names with adjacent hyphens (#2662) CSP tokens used `\b` to assert word boundaries but this is incorrect as CSP tokens may contain hyphens (`-`). This replaces the assertions will lookarounds that address the issue. --- components/prism-csp.js | 3 ++- components/prism-csp.min.js | 2 +- tests/languages/csp/issue2661.test | 11 +++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 tests/languages/csp/issue2661.test diff --git a/components/prism-csp.js b/components/prism-csp.js index 861f5a0972..c8facbc30f 100644 --- a/components/prism-csp.js +++ b/components/prism-csp.js @@ -11,7 +11,8 @@ Prism.languages.csp = { 'directive': { - pattern: /\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i, + pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, + lookbehind: true, alias: 'keyword' }, 'safe': { diff --git a/components/prism-csp.min.js b/components/prism-csp.min.js index b07a47aca1..6da48ba61d 100644 --- a/components/prism-csp.min.js +++ b/components/prism-csp.min.js @@ -1 +1 @@ -Prism.languages.csp={directive:{pattern:/\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}}; \ No newline at end of file +Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}}; \ No newline at end of file diff --git a/tests/languages/csp/issue2661.test b/tests/languages/csp/issue2661.test new file mode 100644 index 0000000000..1d25bd01f1 --- /dev/null +++ b/tests/languages/csp/issue2661.test @@ -0,0 +1,11 @@ +default-src-is-a-fake; fake-default-src; + +---------------------------------------------------- + +[ + "default-src-is-a-fake; fake-default-src;" +] + +---------------------------------------------------- + +Checks for directive names with adjacent hyphens.