electron-hot-loader icon indicating copy to clipboard operation
electron-hot-loader copied to clipboard

Published 20 hours ago verified publisher icon geowarin

__electronHot__ injection causes SyntaxError if absolute path contains '

Open Martin-Pitt opened this issue 8 years ago • 1 comments

Was getting blank windows when I noticed via DevTools I was getting a SyntaxError: missing ) after argument list, this is because my project folder has a ' in the absolute path.

In fact, this seems like a possible XSS attack vector if the folders are named specifically. (E.g. escaping string quoting via the path)

Please escape the absolute path when injecting var __electronHot__ = require(…); with the path

Martin-Pitt avatar Jun 01 '17 14:06 Martin-Pitt

Hello @Martin-Pitt. Thanks for the feedback!

You should not enable electron-hot in production, so I don't really think there is an XSS risk here.

That being said, I would love to fix this problem. Would you be able to send a PR?

geowarin avatar Jun 01 '17 16:06 geowarin