Merge pull request #396 from Tencent/dev

v3.5.2

CHANGELOG.md

@@ -1,5 +1,13 @@
 English | [简体中文](./CHANGELOG_CN.md)
 
+#### 3.5.2 (2021-05-13)
+
+- `Chore` Update to Webpack5 and update all NPM packages to the latest version.
+- `Fix(General)` Fix invalid click caused by wrong `selection`.
+- `Fix(Log)` Delete `cachedLogs` when reached `maxLogNumber` limit.
+- `Fix(Log)` Fix XSS risk.
+
+
 #### 3.5.1 (2021-05-07)
 
 - `Chore(Babel)` Fix incorrect `catch` built by babel-loader. (PR #392 by @myl0204)

CHANGELOG_CN.md

@@ -1,5 +1,13 @@
 [English](./CHANGELOG.md) | 简体中文
 
+#### 3.5.2 (2021-05-13)
+
+- `Chore` 升级到 Webpack5，并升级所有 NPM packages 到最新版本。
+- `Fix(General)` 修复因 `selection` 选区引起的点击事件无效问题。
+- `Fix(Log)` 当日志数量达到 `maxLogNumber` 上限时清空对应的 `cachedLogs`。
+- `Fix(Log)` 修复 XSS 漏洞。
+
+
 #### 3.5.1 (2021-05-07)
 
 - `Chore(Babel)` 修复由 `catch` 写法引起的 babel-loader 构建问题。 (PR #392 by @myl0204)

babel.config.js

@@ -0,0 +1,27 @@
+module.exports = function(api) {
+  api.cache(true);
+  return {
+    "presets": [
+      [
+        "@babel/preset-env",
+        {
+          "modules": false,
+          "targets": {
+            "ie": "9"
+          },
+          "loose": true
+        }
+      ]
+    ],
+    "plugins": [
+      [
+        "@babel/plugin-proposal-class-properties",
+        {
+          "loose": true
+        }
+      ],
+      "@babel/plugin-proposal-export-namespace-from",
+      "@babel/plugin-proposal-object-rest-spread"
+    ]
+  };
+};

dev/data/success.json

@@ -1 +1,4 @@
-{"ret":0,"msg":"suc","xss":"<xss0>XSS"}
+{
+  "key": "foo\nbar\tyoo",
+  "-->\tyo\n'\"/><iframe>": "-->\n'\"/></pre><iframe>"
+}

dev/log.html

@@ -3,11 +3,12 @@
 <head>
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no, viewport-fit=cover">
+  <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
   <title>Test: Log</title>
   <link href="../example/lib/weui.min.css" rel="stylesheet"/>
   <link href="../example/lib/demo.css" rel="stylesheet"/>
 
-  <script src="../dist/vconsole.min.js"></script>
+  <script type="module" src="../dist/vconsole.min.js"></script>
 </head>
 <body ontouchstart>
   <div class="page">
@@ -20,12 +21,16 @@
     <a onclick="smallArray()" href="javascript:;" class="weui_btn weui_btn_default">smallArray</a>
     <a onclick="repeatLog()" href="javascript:;" class="weui_btn weui_btn_default">repeatLog</a>
     <a onclick="windowError()" href="javascript:;" class="weui_btn weui_btn_default">window.error</a>
+    <a onclick="xssLog()" href="javascript:;" class="weui_btn weui_btn_default">XSS: Log</a>
+    <a onclick="xssStorage()" href="javascript:;" class="weui_btn weui_btn_default">XSS: Storage</a>
     <a onclick="changeTheme()" href="javascript:;" class="weui_btn weui_btn_default">changeTheme</a>
   </div>
 </body>
 </html>
 
-<script>
+<script type="module">
+import '../dist/vconsole.min.js';
+
 window.vConsole = new window.VConsole({
   maxLogNumber: 1000,
   // disableLogScrolling: true,
@@ -36,7 +41,9 @@
     console.log('on clearLog');
   }
 });
+</script>
 
+<script>
 // setInterval(() => {
 //   console.log(Math.random());
 //   console.log('[system]', Math.random());
@@ -129,6 +136,30 @@
   console.info('windowError() End');
 }
 
+function xssLog() {
+  console.info('xssLog() Start');
+  const arr = [
+    "-->\tyo\n'\"/><iframe>",
+    ["-->\tyo\n'\"/><iframe>"]
+  ];
+  const obj = {
+    'key': 'foo\nbar\tyoo',
+    "-->\tyo\n'\"/><iframe>": "-->\n'\"/><iframe>"
+  };
+  console.log('XSS str:', "-->\tyo\n'\"/><iframe>");
+  console.log(arr);
+  console.log(obj);
+  console.info('xssLog() End');
+}
+
+function xssStorage() {
+  console.info('xssStorage() Start');
+  localStorage.setItem("-->\tyo\n'\"/><iframe>", "-->\tyo\n'\"/><iframe>");
+  sessionStorage.setItem("-->\tyo\n'\"/><iframe>", "-->\tyo\n'\"/><iframe>");
+  document.cookie = "foo=-->\tyo";
+  console.info('xssStorage() End');
+}
+
 let theme = 'light';
 function changeTheme() {
   console.info('changeTheme() Start');