Merge pull request #747 from sveltejs/gh-741

Fix escaping/unescaping of text and attributes in SSR
7 years ago · 207c59986a
parent 4daef9ab5e b99e9207ac
commit 207c59986a
12 changed files with 28 additions and 9 deletions
--- a/src/generators/dom/index.ts
+++ b/src/generators/dom/index.ts
@ -4,7 +4,7 @@ import annotateWithScopes from '../../utils/annotateWithScopes';
 import isReference from '../../utils/isReference';
 import { walk } from 'estree-walker';
 import deindent from '../../utils/deindent';
-import stringify from '../../utils/stringify';
+import { stringify } from '../../utils/stringify';
 import CodeBuilder from '../../utils/CodeBuilder';
 import visit from './visit';
 import shared from './shared';
--- a/src/generators/dom/visitors/Component/Attribute.ts
+++ b/src/generators/dom/visitors/Component/Attribute.ts
@ -2,7 +2,7 @@ import { DomGenerator } from '../../index';
 import Block from '../../Block';
 import { Node } from '../../../../interfaces';
 import { State } from '../../interfaces';
-import stringify from '../../../../utils/stringify';
+import { stringify } from '../../../../utils/stringify';

 export default function visitAttribute(
 	generator: DomGenerator,
--- a/src/generators/dom/visitors/Element/Attribute.ts
+++ b/src/generators/dom/visitors/Element/Attribute.ts
@ -1,6 +1,6 @@
 import attributeLookup from './lookup';
 import deindent from '../../../../utils/deindent';
-import stringify from '../../../../utils/stringify';
+import { stringify } from '../../../../utils/stringify';
 import getStaticAttributeValue from './getStaticAttributeValue';
 import { DomGenerator } from '../../index';
 import Block from '../../Block';
--- a/src/generators/dom/visitors/Text.ts
+++ b/src/generators/dom/visitors/Text.ts
@ -2,7 +2,7 @@ import { DomGenerator } from '../index';
 import Block from '../Block';
 import { Node } from '../../../interfaces';
 import { State } from '../interfaces';
-import stringify from '../../../utils/stringify';
+import { stringify } from '../../../utils/stringify';

 export default function visitText(
 	generator: DomGenerator,
--- a/src/generators/server-side-rendering/index.ts
+++ b/src/generators/server-side-rendering/index.ts
@ -178,7 +178,12 @@ export default function ssr(
 		function __escape ( html ) {
 			return String( html ).replace( /["'&<>]/g, match => escaped[ match ] );
 		}
-	`.replace(/(\\)?@(\w*)/g, (match: string, escaped: string, name: string) => escaped ? match.slice(1) : generator.alias(name));
+	`.replace(/(\\)?([@#])(\w*)/g, (match: string, escaped: string, sigil: string, name: string) => {
+		if (escaped) return match.slice(1);
+		if (sigil !== '@') return match;
+
+		return generator.alias(name);
+	});

 	return generator.generate(result, options, { name, format });
 }
--- a/src/generators/server-side-rendering/visitors/Element.ts
+++ b/src/generators/server-side-rendering/visitors/Element.ts
@ -4,6 +4,7 @@ import visit from '../visit';
 import visitWindow from './meta/Window';
 import { SsrGenerator } from '../index';
 import Block from '../Block';
+import { escape } from '../../../utils/stringify';
 import { Node } from '../../../interfaces';

 const meta = {
@ -14,7 +15,7 @@ function stringifyAttributeValue(block: Block, chunks: Node[]) {
 	return chunks
 		.map((chunk: Node) => {
 			if (chunk.type === 'Text') {
-				return chunk.data;
+				return escape(chunk.data).replace(/"/g, '&quot;');
 			}

 			const { snippet } = block.contextualise(chunk.expression);
--- a/src/generators/server-side-rendering/visitors/Text.ts
+++ b/src/generators/server-side-rendering/visitors/Text.ts
@ -1,5 +1,6 @@
 import { SsrGenerator } from '../index';
 import Block from '../Block';
+import { escape } from '../../../utils/stringify';
 import { Node } from '../../../interfaces';

 export default function visitText(
@ -7,5 +8,5 @@ export default function visitText(
 	block: Block,
 	node: Node
 ) {
-	generator.append(node.data.replace(/(\${|`|\\)/g, '\\$1').replace(/([^\\@#])?([@#])/g, '$1\\$2'));
+	generator.append(escape(node.data).replace(/(\${|`|\\)/g, '\\$1'));
 }
--- a/src/utils/stringify.ts
+++ b/src/utils/stringify.ts
@ -1,3 +1,7 @@
-export default function stringify(data: string) {
-	return JSON.stringify(data.replace(/([^\\@#])?([@#])/g, '$1\\$2'));
+export function stringify(data: string) {
+	return JSON.stringify(escape(data));
+}
+
+export function escape(data: string) {
+	return data.replace(/([^\\@#])?([@#])/g, '$1\\$2');
 }
--- a/test/runtime/samples/attribute-static-at-symbol/_config.js
+++ b/test/runtime/samples/attribute-static-at-symbol/_config.js
@ -0,0 +1,3 @@
+export default {
+	html: `<a href='mailto:hello@example.com'>email</a>`
+};
--- a/test/runtime/samples/attribute-static-at-symbol/main.html
+++ b/test/runtime/samples/attribute-static-at-symbol/main.html
@ -0,0 +1 @@
+<a href='mailto:hello@example.com'>email</a>
--- a/test/runtime/samples/attribute-static-quotemarks/_config.js
+++ b/test/runtime/samples/attribute-static-quotemarks/_config.js
@ -0,0 +1,3 @@
+export default {
+	html: `<span title='"foo"'>foo</span>`
+};
--- a/test/runtime/samples/attribute-static-quotemarks/main.html
+++ b/test/runtime/samples/attribute-static-quotemarks/main.html
@ -0,0 +1 @@
+<span title='"foo"'>foo</span>
				`@ -0,0 +1 @@`
				`<a href='mailto:hello@example.com'>email</a>`