-
-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(rspack): support getPublicPath #3422
base: main
Are you sure you want to change the base?
Conversation
🦋 Changeset detectedLatest commit: f07aee4 The changes in this PR will be included in the next version bump. This PR includes changesets to release 29 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
} else { | ||
code = `(${this._getPublicPath})()`; | ||
code = `${ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ScriptedAlchemy hey , i see this just call the function before , not sure whether you forget add webpackRequire.p = function(){} or you want to users pass getPublicPath and assign by themself like getPublicPath: function(){ webpackRequire.p = 'https://' }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
originally i had implemented it with the ability to accept arguments, but i think you were concerned about backward compat, so we did not add arguments to the function call. But originally i had intended for this capability to exist, and removed it after you raised some concern many months ago
if (!this._getPublicPath.startsWith('function')) { | ||
code = `${ | ||
compiler.webpack.RuntimeGlobals.publicPath | ||
} = new Function(${JSON.stringify(this._getPublicPath)})()`; | ||
} = new Function(${JSON.stringify(sanitizedPublicPath)})()`; |
Check warning
Code scanning / CodeQL
Improper code sanitization Medium
improperly sanitized value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 16 days ago
To fix the problem, we need to ensure that the sanitizedPublicPath
value is properly sanitized to prevent any potential code injection. We can achieve this by using a more robust sanitization method that escapes all potentially dangerous characters. Additionally, we should ensure that the JSON.stringify
method is used correctly to handle the sanitized value.
- Update the
escapeUnsafeChars
function to include all potentially dangerous characters. - Ensure that the
sanitizedPublicPath
value is properly escaped before using it in theJSON.stringify
method.
-
Copy modified line R21 -
Copy modified line R41
@@ -20,3 +20,3 @@ | ||
function escapeUnsafeChars(str: string) { | ||
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\]/g, (x) => charMap[x]); | ||
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029/\\]/g, (x) => charMap[x]); | ||
} | ||
@@ -40,3 +40,3 @@ | ||
compiler.webpack.RuntimeGlobals.publicPath | ||
} = new Function(${JSON.stringify(sanitizedPublicPath)})()`; | ||
} = new Function(${JSON.stringify(escapeUnsafeChars(sanitizedPublicPath))})()`; | ||
} else { |
Description
rspack plugin support getPublicPath
Related Issue
Types of changes
Checklist