- I have searched the issues of this repository and believe that this is not a duplicate.
Version
3.6.4
Environment
Mac Node.js
Reproduction link
https://github.com/ant-design/ant-design
Steps to reproduce
I'm a maintainer of Less. There were some reported issues of using Antd with Less 3.x. I decided to try adding ant-design to Less tests. But immediately a global leak was detected by Less tests. I got the error message: Global leak detected: colorEasing, tinycolor, colorPalette
It seems that the Less files, when Inline JavaScript is enabled, add functions to the global object.
What is expected?
Less style files should not manipulate or leak into the global object.
What is actually happening?
colorEasing, tinycolor, colorPalette are leaking globally.
If you need help with creating a proper Less plugin (Inline JavaScript is discouraged for security and leak reasons like this), you can ask questions here: https://gitter.im/less/less.js
9条答案
按热度按时间pvabu6sv1#
Any updates here?
flvtvl502#
cc @chenshuai2144
ar5n3qh53#
Shouldn't this be fixed ASAP, if it is a security vulnerability issue?
My build is failing when i try to import less file with webpack, because enableJavascript is set to false by default.
Probably this is the proper way of including js now?
http://lesscss.org/features/#plugin-atrules-feature
4bbkushb4#
@tylik1 This isn't directly related to the inline JavaScript issue. This is what that inline JavaScript is doing (leaking into the global namespace), which is its own problem. So this isn't so much a security vulnerability issue as a performance / memory issue. Antd shouldn't be calling "Less" code that then has embedded JS code that is injecting vars globally into the Node runtime. There are layers of bad practices here.
7qhs6swi5#
Are there any updates here? Or on the topic of Ant's use of inline JavaScript in general? Our project is evaluating Ant and we just ran into this as well. Ant seems promising, but we're nervous about the fact that it's using a deprecated, insecure LESS feature. Would like to know if there is a timeline or roadmap for fixing Ant's stylesheet to not use this mechanism.
lg40wkob6#
It looks this was addressed (at least partially) in #13595 which was then reverted the next day by @chenshuai2144 in #13613 , then that revert was reverted in #13621 , and then that was reverted in #13622 , leaving us back in the original state.
I don't see any conversation about what was wrong with the original merge -- @chenshuai2144 do you have any details about what would need to be changed in order for us to resolve this issue, or what caused the flurry of reversions?
zynd9foi7#
Another reason to remove javascriptEnable of less: #19234
xiozqbni8#
Is the antd team bailing on this issue? I see the PR to resolve was closed rather unceremoniously ( #20470 ) and switching
javascriptEnabledtofalsein my webpack.config throws errors for.bezierEasingMixin();.jdzmm42g9#
any updates on this?