mikesamuel

/**
 * A symbol that should only be added to objects whose
 * properties come from an external string, or which include
 * uncherry-picked properties from such an object.
 */
const PARSER_OUTPUT_SYMBOL = Symbol('parserOutput');
function markingReviver(_, value) {
  "use strict";
  if (value && typeof value === 'object') {
    // HACK: This might fail if optReviver freezes values.

mikesamuel

diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
index 33d8907e4f..6df7c32efd 100644
--- a/lib/internal/modules/cjs/loader.js
+++ b/lib/internal/modules/cjs/loader.js
@@ -46,6 +46,9 @@ const preserveSymlinks = !!process.binding('config').preserveSymlinks;
 const preserveSymlinksMain = !!process.binding('config').preserveSymlinksMain;
 const experimentalModules = !!process.binding('config').experimentalModules;

+const { defineProperties, hasOwnProperty } = Object;
+const { apply } = Reflect;

mikesamuel

Ambiguous

Ambiguous

Ambiguous

NFC Å - Å

NFKC Äffin - Äffin

mikesamuel

JSON.parse = (() => {
  const undef = void 0;
  const jsonParse = JSON.parse;
  function noProtoReviver (key, value) {
    if (key === '__proto__') {
      console.warn('Removed __proto__ from parsed JSON');
      return undef; // Remove property entirely
    }
    return value;
  }

mikesamuel

Options for Hardening React &| JSX

• Background
• Problem
• Options
  • Before Desugar
  • After Desugar
  • Mutate CreateElement
  • Mutate Reconciler
• Hybrid of Before Desugar and Mutate Reconciler

mikesamuel

"use strict";

// Prompted by https://esdiscuss.org/topic/json-canonicalize

// Given a string of JSON produces a string of JSON without unnecessary
// degrees of freedom like whitespace, optional escape sequences, and
// unnecessary variance in number representation.
function hashable(json) {
  const strs = []  // Side table to collect string bodies
  return reorderProperties(

mikesamuel

Node Frenemies

Lets project teams trust code they know with more than code they don't.

• Goal
• Non-goals
• Use Case Summary
• Solution: Node module loader acts as trusted intermediary to enable mutual suspicion
  • Reliable Channel Example

• Example Code

mikesamuel

<html>
  <title>sanitize-html testbed</title>
  <script>
    // Inlined the result of
    // $ npm install sanitize-html
    // $ browserify --bare node_modules/sanitize-html/index.js
    // and added window.sanitizeHtml = sanitizeHtml;

(function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
var htmlparser = require('htmlparser2');

mikesamuel

  private static final boolean DEBUG_RDS = false;
  static void removeDotSegmentsInPlace(StringBuilder path, int left) {
    // The code below has excerpts from the spec interspersed.
    // The "input buffer" and "output buffer" referred to in the spec
    // are both just regions of path.
    // The loop deals with the exclusive cases by continuing instead
    // of proceeding to the bottom.
    boolean isAbsolute = left < path.length() && path.charAt(left) == '/';

    // RFC 3986 Section 5.2.4

mikesamuel

URL Classifier Builder

This is now implemented: https://github.com/OWASP/url-classifier

Problem

Matching URLs with regular expressions is hard. Even experienced programmers who are familiar with the URL spec produce code like /http:\/\/example.com/ which spuriously matches unintended URLs like