> Someone asking you to write a test for new code
per the response: "I'm not sure what kind of test would you like me to write for this change, as it's simply adding 4 quotes"
> Someone asking you to write a test for new code
per the response: "I'm not sure what kind of test would you like me to write for this change, as it's simply adding 4 quotes"
Maybe one showing that the change doesn't make it worse. Here's the code change:
I know zero about this code path, but suppose it's expected that `${$(this).data('href')}` is already a properly quoted value, like `"https://example.com"`. Then the first line expands to: and the second expands to: which would have all kinds of room for mischief. Or suppose the template engine auto-quotes values that it injects, so the quotes aren't necessary at all, which is a pretty common approach. The point is that you don't randomly want to throw quotes into HTML or single quotes into SQL just for giggles. You have to write tests demonstrating that the existing common use cases still work after the change, even if it's simply adding 4 quotes.I'd say also add a test that shows the HTML injection (which spurred the PR) isn't possible. Given an attacker-controlled URL of:
the following shouldn't render: The following should:Oh, for sure! That'd end the conversation: "your change breaks the existing tests. Fix that and we'll re-consider."
I wonder why they didn't change it to use DOM APIs instead. Related comment:
https://news.ycombinator.com/item?id=47945472
That totally justifies the very normal extortion like blog post in response.