From 3f73712b257f35afd178f8cc5023d111446780e1 Mon Sep 17 00:00:00 2001
From: tav <tav@espians.com>
Date: Wed, 31 Jan 2018 17:08:46 +0000
Subject: [PATCH] Escape HTML attribute values in SSR

---
 src/generators/server-side-rendering/index.ts | 89 ++++++++++++++++++-
 .../shared/stringifyAttributeValue.ts         |  2 +-
 2 files changed, 89 insertions(+), 2 deletions(-)

diff --git a/src/generators/server-side-rendering/index.ts b/src/generators/server-side-rendering/index.ts
index c998cb894b..a20ad1df93 100644
--- a/src/generators/server-side-rendering/index.ts
+++ b/src/generators/server-side-rendering/index.ts
@@ -206,7 +206,7 @@ export default function ssr(
 
 		${
 			// TODO this is a bit hacky
-			/__escape/.test(generator.renderCode) && deindent`
+			/__escape\(/.test(generator.renderCode) && deindent`
 				var escaped = {
 					'"': '&quot;',
 					"'": '&##39;',
@@ -221,6 +221,93 @@ export default function ssr(
 			`
 		}
 
+		${
+			// TODO this is a bit hacky
+			/__escapeAttr\(/.test(generator.renderCode) && deindent`
+				const __escapeWhitelist = new Set([
+					32,
+					45,
+					48,
+					49,
+					50,
+					51,
+					52,
+					53,
+					54,
+					55,
+					56,
+					57,
+					65,
+					66,
+					67,
+					68,
+					69,
+					70,
+					71,
+					72,
+					73,
+					74,
+					75,
+					76,
+					77,
+					78,
+					79,
+					80,
+					81,
+					82,
+					83,
+					84,
+					85,
+					86,
+					87,
+					88,
+					89,
+					90,
+					95,
+					97,
+					98,
+					99,
+					100,
+					101,
+					102,
+					103,
+					104,
+					105,
+					106,
+					107,
+					108,
+					109,
+					110,
+					111,
+					112,
+					113,
+					114,
+					115,
+					116,
+					117,
+					118,
+					119,
+					120,
+					121,
+					122,
+				])
+
+				function __escapeAttr(s) {
+					const escaped = []
+					for (var i = 0; i < s.length; i++) {
+						const cp = s.codePointAt(i)
+						if (__escapeWhitelist.has(cp)) {
+							escaped.push(s.charAt(i))
+						} else {
+							escaped.push('&#' + s.codePointAt(i) + ';')
+						}
+					}
+					return escaped.join('')
+				}
+
+			`
+		}
+
 		${
 			/__isPromise/.test(generator.renderCode) && deindent`
 				function __isPromise(value) {
diff --git a/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts b/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts
index 22eb0eff76..61db22d94e 100644
--- a/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts
+++ b/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts
@@ -11,7 +11,7 @@ export default function stringifyAttributeValue(block: Block, chunks: Node[]) {
 
 			block.contextualise(chunk.expression);
 			const { snippet } = chunk.metadata;
-			return '${' + snippet + '}';
+			return '${__escapeAttr(' + snippet + ')}';
 		})
 		.join('');
 }
\ No newline at end of file