Last 12 weeks · 0 commits
5 of 6 standards met
Description When using browser nav the browser fires the popstate event before any of the router callbacks go off, and it can't be intercepted. Therefore we can't rely on events to save the scroll position when using the back/forward buttons. This sets up an interval timer to periodically save the scroll position. For more info see: https://github.com/antfu/vue-router-better-scroller/issues/4#issuecomment-3276223621 Linked Issues fixes #3 fixes #4 Additional context
Describe the bug hi, we are a security team. We found a Prototype Pollution vulnerability in your project. Thefunction exported by @better-scroll/shared-utils@2.5.1 is vulnerable to local prototype pollution. The root cause is a classic one: it uses aloop to iterate over properties, coupled with unconditional assignment of , without any check or filtering of the property. Vulnerable Code Lines 99-103 of the CJS build artifact (the logic in lines 93-97 of the ESM build artifact is identical): javascript In an object parsed via JSON.parse, is an own enumerable property and thus can be enumerated by the for...in loop. When is executed, it triggers thesetter, causing the prototype chain of the target object to be replaced with the object supplied by an attacker. Reproduction Payload: {"__proto__":{"polluted":"yes"}} Results: List of keys enumerated by for...in: ["__proto__"] Object.getPrototypeOf(target) === Object.prototype → false (the prototype has been replaced) target.polluted → "yes" (inherited from the tampered prototype) ({}).polluted → undefined (no impact on the global scope) Payload: {"__proto__":{"isAdmin":true}} This yields the same result: local prototype pollution is successful, and the global scope remains unaffected Used Package Manager npm Validations [x] Follow our Code of Conduct [x] Read the Contributing Guide. [x] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate. [x] Check that this is a concrete bug. For Q&A, please open a GitHub Discussion instead. [x] The provided reproduction is a minimal reproducible of the bug. Contributions [ ] I am willing to submit a PR to fix this issue [ ] I am willing to submit a PR with failing tests (actually just go ahead and do it, thanks!)
Describe the bug router.beforeResolve: history.replaceState({ ...history.state, [STATE_KEY]: pos }, ""); 存储的对象 在 router.afterEach:中没能取到值 const pos = history.state[STATE_KEY] positionsMap.get(key); !cf4b31fc2383773297c295f22556040 !891cad45e11f78c157ed1b1d71bd6c0 Reproduction https://github.com/cestrongly/my-vue-app System Info Used Package Manager pnpm Validations [X] Follow our Code of Conduct [X] Read the Contributing Guide. [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate. [X] Check that this is a concrete bug. For Q&A, please open a GitHub Discussion instead. [X] The provided reproduction is a minimal reproducible of the bug.
Describe the bug Currently the scroll position is only be remembered when navigating "normally" through the page. There is an explicit return to prevent saving the state when using the history back button: https://github.com/antfu/vue-router-better-scroller/blob/main/src/index.ts#L23 Why is that so? The problem is that when using the history forward button afterwards the scroll position cannot be restored. Validations [X] Follow our Code of Conduct [X] Read the Contributing Guide. [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate. [X] Check that this is a concrete bug. For Q&A, please open a GitHub Discussion instead.
Repository: antfu/vue-router-better-scroller. Description: Enhanced scroll behavior for Vue Router Stars: 336, Forks: 4. Primary language: TypeScript. Languages: TypeScript (86.1%), Vue (11.2%), HTML (2.7%). License: MIT. Open PRs: 1, open issues: 2. Last activity: 3y ago. Community health: 85%. Top contributors: antfu, amrbashir, KiligFei.