joewalnes / filtrex Goto Github PK

This will p0wn your browser.

compileExpression("'undefined:(window.p0wned=true)));((true?(x=>x)'()")()

Hi,

We are trying to consume filtrex.js in java using javax.script (nashorn).

And while it is loading the filterx.js file, it is giving some syntax error as mentioned below.
javax.script.ScriptException: :115:17 Expected an operand but found error
`yytext = JSON.stringify(yytext);
^ in at line number 115 at column number

Please let us know.

filtrex has a global name collision with requirejs's require. Can we please rename all references to require?

I'd like to use this to match text, like someone would with a search engine, e.g.

e.g If I had the text

this is a test of the system
brad and his dog

this search would match
test or you and (brad and dog)

but this one wouldnt
test and rabbit

I could use a custom function, but for this use case, the variable names are actually the variable values.

Is there an easy way to do this? I'd prefer not to use a custom function, as I want it to be natural for my end users.

Filtrex seems to be vulnerable to cross site scripting. For example, in the highlighting example (http://rawgit.com/joewalnes/filtrex/master/example/highlight.html), if one enters the following string in the text input, an alert dialog appears:

constructor.constructor.name.replace("",constructor.constructor("alert('xss')"))

This is because Filtrex does not restrict the user-supplied functions only to own members of the functions object (abs, ceil, floor...), but allows accessing function members inherited from Object.prototype as well - for example, constructor, i.e. the Object() function. It's also possible to call functions in nested objects as well, such as constructor.constructor i.e. the Function() function.

The above was tested and worked on Firefox 29.0.1 (OS X 10.7) and Chrome 34.0 (OS X 10.7)

Strings (surrounding with double quotes) in filtrex expressions cannot contain any double quote characters themselves.

I'll open a PR to address this.

Apparently, @joewalnes lost his interest in this package, and since I'm the only one reacting to issues here for some time now, I decided to continue the development on my fork of Filtrex. If you have any suggestions, ideas or questions, feel free to start an issue there.

I also started a dispute in order to aquire the NPM package filtrex, so that I'd be able to update it. Since then, you can use my package @m93a/filtrex which is up to date and includes several cool features and security fixes.

This will p0wn your browser.

compileExpression(`'"+(window.p0wned=true)+"'`)({});

I need your library for parsing expressions but I saw that it only supports numbers and strings.
Is it possible to somehow allow date manipulation?
The expression I need to parse is:

'31.07.' + (myDate.getMonth() <= 7 ? myDate.getFullYear() + 3: myDate.getFullYear() + 4 )

Im trying to get this to parse expressions with spaces e.g. Net Income > 10000. I have tried a few things like wrapping with quotes "Net Income" but that hasn't worked. Any ideas?

(Stolen from: https://github.com/mdo/wtf-forms/issues/5)

Joe I like this tool!
I ran this unit test, which is similar to your existing unit test. It always returns false/0

'filtrex: object string test': function(test) {
        test.equal(1, compileExpression('obj.foo == "hello"')({obj:{foo:'hello'}}));
        test.equal(0, compileExpression('obj.foo == "hello"')({obj:{foo:'bye'}}));
        test.equal(0, compileExpression('obj.foo != "hello"')({obj:{foo:'hello'}}));
        test.equal(1, compileExpression('obj.foo != "hello"')({obj:{foo:'bye'}}));
        test.equal(true, compileExpression('obj.foo in ("aa", "bb")')({obj:{foo:'aa'}}));
        test.equal(false, compileExpression('obj.foo in ("aa", "bb")')({obj:{foo:'c'}}));
        test.equal(false, compileExpression('obj.foo not in ("aa", "bb")')({obj:{foo:'aa'}}));
        test.equal(true, compileExpression('obj.foo not in ("aa", "bb")')({obj:{foo:'cc'}}));
    }