From 0cd51f70d2676569387f5f6a9047eb9553fea708 Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Mon, 6 Feb 2017 11:46:31 +0100 Subject: [PATCH] =?utf8?q?kivi.parse=5Famount:=20bei=20ung=C3=BCltigen=20Z?= =?utf8?q?eichen=200=20zur=C3=BCckgeben?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Es werden nun nur noch mathematische Zeichen erlaubt. --- js/kivi.js | 4 ++++ js/t/kivi/parse_amount.js | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/js/kivi.js b/js/kivi.js index e17294a12..dbf5a0ed2 100644 --- a/js/kivi.js +++ b/js/kivi.js @@ -61,6 +61,10 @@ namespace("kivi", function(ns) { amount = amount.replace(/[\',]/g, "") + // Make sure no code wich is not a math expression ends up in eval(). + if (!amount.match(/^[0-9 ()\-+*/.]*$/)) + return 0; + /* jshint -W061 */ return eval(amount); }; diff --git a/js/t/kivi/parse_amount.js b/js/t/kivi/parse_amount.js index 9b7d2aa07..1ef2b1193 100644 --- a/js/t/kivi/parse_amount.js +++ b/js/t/kivi/parse_amount.js @@ -109,3 +109,9 @@ QUnit.test("kivi.parse_amount function numbers with leading 0 should still be pa assert.equal(kivi.parse_amount('0123456789'), 123456789, '0123456789'); assert.equal(kivi.parse_amount('000123456789'), 123456789, '000123456789'); }); + +QUnit.test("kivi.parse_amount function German number style with thousand separator & contains invalid characters", function( assert ) { + kivi.setup_formats({ numbers: '1.000,00' }); + + assert.equal(kivi.parse_amount('iuh !@#$% 10,00'), 0, 'iuh !@#$% 10,00'); +}); -- 2.20.1