Skip to content

security: sanitize function bodies#199

Merged
redonkulus merged 6 commits into
mainfrom
xss-fix
Nov 28, 2025
Merged

security: sanitize function bodies#199
redonkulus merged 6 commits into
mainfrom
xss-fix

Conversation

@redonkulus

Copy link
Copy Markdown
Collaborator

We got a bug report interally that function bodies were not being sanitized. This adds logic to do that via a new option.

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

@redonkulus redonkulus requested a review from okuryu November 19, 2025 20:21
Comment thread index.js Outdated
Comment thread .gitignore Outdated
@redonkulus redonkulus requested a review from okuryu November 20, 2025 15:48
Comment thread index.js Outdated
@redonkulus redonkulus requested a review from okuryu November 21, 2025 19:18
Comment thread index.js Outdated
@redonkulus redonkulus requested a review from okuryu November 24, 2025 19:13
@okuryu

okuryu commented Nov 27, 2025

Copy link
Copy Markdown
Collaborator

@redonkulus If it would be better for me to handle the merge and release tasks, I can do so. Please let me know.

@redonkulus redonkulus merged commit 738a8e9 into main Nov 28, 2025
3 checks passed
@redonkulus

Copy link
Copy Markdown
Collaborator Author

@okuryu Sorry, I merged it already, but if you could publish the release, that would be great!

@redonkulus redonkulus deleted the xss-fix branch November 28, 2025 06:38
@okuryu

okuryu commented Nov 28, 2025

Copy link
Copy Markdown
Collaborator

published v7.0.1.

meta-codesync Bot pushed a commit to facebook/capi-param-builder that referenced this pull request Apr 5, 2026
Summary:
Bumps serialize-javascript from 6.0.2 to 7.0.5.
Release notes (sourced from serialize-javascript’s releases)
- v7.0.5
Fixes
Improve robustness and validation for array-like object serialization.
Fix an issue where certain object structures could lead to excessive CPU usage.
For more details, please see GHSA-qj8w-gfj5-8c6v.
- v7.0.4
What’s Changed
release: v7.0.4 by okuryu in yahoo/serialize-javascript#211
Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4
- v7.0.3
fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0
build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb
Compare: yahoo/serialize-javascript@v7.0.2...v7.0.3
- v7.0.2
What’s Changed
ci: bump GitHub Actions to latest versions by okuryu in yahoo/serialize-javascript#203
ci: setup trusted publishing workflow by okuryu in yahoo/serialize-javascript#204
release: v7.0.2 by okuryu in yahoo/serialize-javascript#205
Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2
- v7.0.1
What’s Changed
Add warning about using this package to send arbitrary data to worker threads by valadaptive in yahoo/serialize-javascript#200
security: sanitize function bodies by redonkulus in yahoo/serialize-javascript#199
docs: tweak README by okuryu in yahoo/serialize-javascript#201
release: v7.0.1 by okuryu in yahoo/serialize-javascript#202
New Contributors
redonkulus made their first contribution in yahoo/serialize-javascript#199
Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1
- v7.0.0
Breaking Changes
requires Node.js v20+
What’s Changed
Bump mocha from 10.2.0 to 10.4.0 by dependabot[bot] in yahoo/serialize-javascript#178

Commits
df3f1c1 release: v7.0.5
f147e90 Merge commit from fork
eec32e0 release: v7.0.4
d505715 7.0.3
2e609d0 fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207)
42b7cdb build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206)
44f544b release: v7.0.2 (#205)
bba0ddd ci: setup trusted publishing workflow (#204)
235f6ea ci: bump GitHub Actions to latest versions (#203)
f7fff15 release: v7.0.1 (#202)
Additional commits: yahoo/serialize-javascript@v6.0.2...v7.0.5

Differential Revision: D99491918

fbshipit-source-id: 91bc933bd8b3e3ca7e54bbae13fe4126c267f852
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants