fix: sanitize template-literal-special-characters in SSR attribute values (#17692)

Fixes a minor bug where HTML entities could be decoded into significant
characters in the template literal we output for SSR, leading to weird
effects. Not a security issue because it has to be literally written
into the svelte file you're compiling, but still wrong.

---------

Co-authored-by: Rich Harris <rich.harris@vercel.com>

.changeset/brave-pears-matter.md

@@ -0,0 +1,5 @@
+---
+"svelte": patch
+---
+
+fix: sanitize template-literal-special-characters in SSR attribute values

packages/svelte/src/compiler/phases/3-transform/server/visitors/shared/utils.js

@@ -225,7 +225,7 @@ export function build_attribute_value(
 		const node = value[i];
 
 		if (node.type === 'Text') {
-			quasi.value.raw += trim_whitespace
+			quasi.value.cooked += trim_whitespace
 				? node.data.replace(regex_whitespaces_strict, ' ')
 				: node.data;
 		} else {
@@ -244,6 +244,10 @@ export function build_attribute_value(
 		}
 	}
 
+	for (const quasi of quasis) {
+		quasi.value.raw = sanitize_template_string(/** @type {string} */ (quasi.value.cooked));
+	}
+
 	return b.template(quasis, expressions);
 }
 

packages/svelte/tests/server-side-rendering/samples/attribute-template-literal-sanitization/_expected.html

@@ -0,0 +1,3 @@
+<div title="${inject} world"></div>
+<div title="`backtick world"></div>
+<div title="back\slash world"></div>

packages/svelte/tests/server-side-rendering/samples/attribute-template-literal-sanitization/main.svelte

@@ -0,0 +1,7 @@
+<script>
+	export let value = 'world';
+</script>
+
+<div title="&#36;&#123;inject&#125; {value}"></div>
+<div title="&#96;backtick {value}"></div>
+<div title="back\slash {value}"></div>