Skip to content

Commit 991e78f

Browse files
fix: sanitise and escape the pretty option (#3314)
1 parent 06baa52 commit 991e78f

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

packages/pug-code-gen/index.js

+11-2
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,11 @@ function Compiler(node, options) {
5757
if (this.pp && typeof this.pp !== 'string') {
5858
this.pp = ' ';
5959
}
60+
if (this.pp && !/^\s+$/.test(this.pp)) {
61+
throw new Error(
62+
'The pretty parameter should either be a boolean or whitespace only string'
63+
);
64+
}
6065
this.debug = false !== options.compileDebug;
6166
this.indents = 0;
6267
this.parentIndents = 0;
@@ -452,7 +457,9 @@ Compiler.prototype = {
452457
visitMixinBlock: function(block) {
453458
if (this.pp)
454459
this.buf.push(
455-
"pug_indent.push('" + Array(this.indents + 1).join(this.pp) + "');"
460+
'pug_indent.push(' +
461+
stringify(Array(this.indents + 1).join(this.pp)) +
462+
');'
456463
);
457464
this.buf.push('block && block();');
458465
if (this.pp) this.buf.push('pug_indent.pop();');
@@ -504,7 +511,9 @@ Compiler.prototype = {
504511
this.mixins[key].used = true;
505512
if (pp)
506513
this.buf.push(
507-
"pug_indent.push('" + Array(this.indents + 1).join(pp) + "');"
514+
'pug_indent.push(' +
515+
stringify(Array(this.indents + 1).join(pp)) +
516+
');'
508517
);
509518
if (block || attrs.length || attrsBlocks.length) {
510519
this.buf.push(name + '.call({');

0 commit comments

Comments
 (0)