Merge commit from fork

* fix: disallow empty attribute names during SSR * Update packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte Co-authored-by: Conduitry <git@chor.date> --------- Co-authored-by: Elliott Johnson <hello@ell.iott.dev> Co-authored-by: Conduitry <git@chor.date>
3 days ago · 547853e240
parent 55f9c85c09
commit 547853e240
3 changed files with 12 additions and 2 deletions
--- a/.changeset/famous-webs-flash.md
+++ b/.changeset/famous-webs-flash.md
@ -0,0 +1,5 @@
+---
+'svelte': patch
+---
+
+fix: disallow empty attribute names during SSR
--- a/packages/svelte/src/internal/server/index.js
+++ b/packages/svelte/src/internal/server/index.js
@ -151,7 +151,7 @@ export function attributes(attrs, css_hash, classes, styles, flags = 0) {
 		// omit functions, internal svelte properties and invalid attribute names
 		if (typeof attrs[name] === 'function') continue;
 		if (name[0] === '$' && name[1] === '$') continue; // faster than name.startsWith('$$')
-		if (INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue;
+		if (name === '' || INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue;

 		var value = attrs[name];
 		var lower = name.toLowerCase();
--- a/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
+++ b/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
@ -5,7 +5,12 @@
 		onclick: 'alert(1)',
 		onerror: 'alert(1)',
 		onfocus: 'alert(1)',
-		onmouseover: 'alert(1)'
+		onmouseover: 'alert(1)',
+		' onload': 'alert(1)',
+		'\tonload': 'alert(1)',
+		'\u00a0onload': 'alert(1)',
+		"\t": "/onmouseover=alert(1)//",
+		"": "/onmouseover=alert(1)//"
 	};
 </script>