From 547853e2406a2147ad7fb5ffeba95b01bd9642da Mon Sep 17 00:00:00 2001 From: Simon H <5968653+dummdidumm@users.noreply.github.com> Date: Thu, 14 May 2026 20:51:28 +0200 Subject: [PATCH] Merge commit from fork * fix: disallow empty attribute names during SSR * Update packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte Co-authored-by: Conduitry --------- Co-authored-by: Elliott Johnson Co-authored-by: Conduitry --- .changeset/famous-webs-flash.md | 5 +++++ packages/svelte/src/internal/server/index.js | 2 +- .../spread-attributes-event-handler-xss/main.svelte | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 .changeset/famous-webs-flash.md diff --git a/.changeset/famous-webs-flash.md b/.changeset/famous-webs-flash.md new file mode 100644 index 0000000000..75a01f689a --- /dev/null +++ b/.changeset/famous-webs-flash.md @@ -0,0 +1,5 @@ +--- +'svelte': patch +--- + +fix: disallow empty attribute names during SSR diff --git a/packages/svelte/src/internal/server/index.js b/packages/svelte/src/internal/server/index.js index 34d0133a31..12f76f188e 100644 --- a/packages/svelte/src/internal/server/index.js +++ b/packages/svelte/src/internal/server/index.js @@ -151,7 +151,7 @@ export function attributes(attrs, css_hash, classes, styles, flags = 0) { // omit functions, internal svelte properties and invalid attribute names if (typeof attrs[name] === 'function') continue; if (name[0] === '$' && name[1] === '$') continue; // faster than name.startsWith('$$') - if (INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue; + if (name === '' || INVALID_ATTR_NAME_CHAR_REGEX.test(name)) continue; var value = attrs[name]; var lower = name.toLowerCase(); diff --git a/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte b/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte index 2a8c17f048..e47a19408e 100644 --- a/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte +++ b/packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte @@ -5,7 +5,12 @@ onclick: 'alert(1)', onerror: 'alert(1)', onfocus: 'alert(1)', - onmouseover: 'alert(1)' + onmouseover: 'alert(1)', + ' onload': 'alert(1)', + '\tonload': 'alert(1)', + '\u00a0onload': 'alert(1)', + "\t": "/onmouseover=alert(1)//", + "": "/onmouseover=alert(1)//" };