fix(security): prevent XSS attack on toast, related to #1353

Akryum · Akryum · commit fa17699aba2b · 2021-01-29T11:40:11.000+01:00
diff --git a/packages/shell-chrome/src/devtools-background.js b/packages/shell-chrome/src/devtools-background.js
@@ -68,7 +68,7 @@ function onContextMenu ({ id }) {
         }, 'Open Vue devtools to see component details')
       } else {
         pendingAction = null
-        toast('No Vue component was found', 'warn')
+        toast('component-not-found')
       }
     })
   }
@@ -113,7 +113,15 @@ function onPanelHidden () {
 
 // Toasts
 
-function toast (message, type = 'normal') {
+const toastMessages = {
+  'component-not-found': { message: 'No Vue component was found', type: 'warn' }
+}
+
+function toast (id) {
+  if (!Object.keys().includes(id)) return
+
+  const { message, type } = toastMessages[id]
+
   const src = `(function() {
     __VUE_DEVTOOLS_TOAST__(\`${message}\`, '${type}');
   })()`
