CSP: Do not highlight directive names with adjacent hyphens (#2662) CSP tokens used `\b` to assert word boundaries but this is incorrect as CSP tokens may contain hyphens (`-`). This replaces the assertions will lookarounds that address the issue.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
diff --git a/components/prism-csp.js b/components/prism-csp.js
index 861f5a0..c8facbc 100644
--- a/components/prism-csp.js
+++ b/components/prism-csp.js
@@ -11,7 +11,8 @@
Prism.languages.csp = {
'directive': {
- pattern: /\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i,
+ pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,
+ lookbehind: true,
alias: 'keyword'
},
'safe': {
diff --git a/components/prism-csp.min.js b/components/prism-csp.min.js
index b07a47a..6da48ba 100644
--- a/components/prism-csp.min.js
+++ b/components/prism-csp.min.js
@@ -1 +1 @@
-Prism.languages.csp={directive:{pattern:/\b(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)\b/i,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}};
\ No newline at end of file
+Prism.languages.csp={directive:{pattern:/(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|script|style|worker)-src|disown-opener|form-action|frame-ancestors|plugin-types|referrer|reflected-xss|report-to|report-uri|require-sri-for|sandbox|upgrade-insecure-requests)(?=[^-\da-z]|$)/i,lookbehind:!0,alias:"keyword"},safe:{pattern:/'(?:self|none|strict-dynamic|(?:nonce-|sha(?:256|384|512)-)[a-zA-Z\d+=/]+)'/,alias:"selector"},unsafe:{pattern:/(?:'unsafe-inline'|'unsafe-eval'|'unsafe-hashed-attributes'|\*)/,alias:"function"}};
\ No newline at end of file
diff --git a/tests/languages/csp/issue2661.test b/tests/languages/csp/issue2661.test
new file mode 100644
index 0000000..1d25bd0
--- /dev/null
+++ b/tests/languages/csp/issue2661.test
@@ -0,0 +1,11 @@
+default-src-is-a-fake; fake-default-src;
+
+----------------------------------------------------
+
+[
+ "default-src-is-a-fake; fake-default-src;"
+]
+
+----------------------------------------------------
+
+Checks for directive names with adjacent hyphens.