X-Git-Url: https://git.josue.xyz/?p=dotfiles%2F.git;a=blobdiff_plain;f=.config%2Fcoc%2Fextensions%2Fnode_modules%2Fcoc-prettier%2Fnode_modules%2Flodash%2Ftemplate.js;h=1556a099afe4e4c6d36705d72343f6a719b168f6;hp=f71d13024982f0f1c5c29707bf1c16d7282cccb4;hb=4d07c77cf4d78cab8639e13ddc3c22495e585b0b;hpb=b3950616b54221c40a7dab9099bda675007e5b6e

diff --git a/.config/coc/extensions/node_modules/coc-prettier/node_modules/lodash/template.js b/.config/coc/extensions/node_modules/coc-prettier/node_modules/lodash/template.js
index f71d1302..1556a099 100644
--- a/.config/coc/extensions/node_modules/coc-prettier/node_modules/lodash/template.js
+++ b/.config/coc/extensions/node_modules/coc-prettier/node_modules/lodash/template.js
@@ -169,11 +169,11 @@ function template(string, options, guard) {
 
   // Use a sourceURL for easier debugging.
   // The sourceURL gets injected into the source that's eval-ed, so be careful
-  // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
-  // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
+  // to normalize all kinds of whitespace, so e.g. newlines (and unicode versions of it) can't sneak in
+  // and escape the comment, thus injecting code that gets evaled.
   var sourceURL = hasOwnProperty.call(options, 'sourceURL')
     ? ('//# sourceURL=' +
-       (options.sourceURL + '').replace(/[\r\n]/g, ' ') +
+       (options.sourceURL + '').replace(/\s/g, ' ') +
        '\n')
     : '';
 
@@ -206,8 +206,6 @@ function template(string, options, guard) {
 
   // If `variable` is not specified wrap a with-statement around the generated
   // code to add the data object to the top of the scope chain.
-  // Like with sourceURL, we take care to not check the option's prototype,
-  // as this configuration is a code injection vector.
   var variable = hasOwnProperty.call(options, 'variable') && options.variable;
   if (!variable) {
     source = 'with (obj) {\n' + source + '\n}\n';