diff --git a/src/runtime/internal/ssr.ts b/src/runtime/internal/ssr.ts index 571a25f1ac..e6d747dc18 100644 --- a/src/runtime/internal/ssr.ts +++ b/src/runtime/internal/ssr.ts @@ -205,7 +205,7 @@ export function add_classes(classes) { function style_object_to_string(style_object) { return Object.keys(style_object) .filter(key => style_object[key]) - .map(key => `${key}: ${style_object[key]};`) + .map(key => `${key}: ${escape_attribute_value(style_object[key])};`) .join(' '); } diff --git a/test/runtime/samples/css-vars-escape/Sub.svelte b/test/runtime/samples/css-vars-escape/Sub.svelte new file mode 100644 index 0000000000..4781b65b36 --- /dev/null +++ b/test/runtime/samples/css-vars-escape/Sub.svelte @@ -0,0 +1,7 @@ +
hi
+ + diff --git a/test/runtime/samples/css-vars-escape/_config.js b/test/runtime/samples/css-vars-escape/_config.js new file mode 100644 index 0000000000..04defbdae8 --- /dev/null +++ b/test/runtime/samples/css-vars-escape/_config.js @@ -0,0 +1,12 @@ +export default { + html: ` +
+
hi
+
+ `, + ssrHtml: ` +
+
hi
+
+ ` +}; diff --git a/test/runtime/samples/css-vars-escape/main.svelte b/test/runtime/samples/css-vars-escape/main.svelte new file mode 100644 index 0000000000..d18e2d57f2 --- /dev/null +++ b/test/runtime/samples/css-vars-escape/main.svelte @@ -0,0 +1,6 @@ + + + diff --git a/test/runtime/samples/inline-style-directive-escape/_config.js b/test/runtime/samples/inline-style-directive-escape/_config.js new file mode 100644 index 0000000000..31666815d9 --- /dev/null +++ b/test/runtime/samples/inline-style-directive-escape/_config.js @@ -0,0 +1,12 @@ +export default { + html: ` +
+ `, + + test({ assert, component, target }) { + component.attack = '" onload="alert(\'uhoh2\')" data-nothing="not important'; + assert.htmlEqual(target.innerHTML, ` +
+ `); + } +}; diff --git a/test/runtime/samples/inline-style-directive-escape/main.svelte b/test/runtime/samples/inline-style-directive-escape/main.svelte new file mode 100644 index 0000000000..fd27bfda6a --- /dev/null +++ b/test/runtime/samples/inline-style-directive-escape/main.svelte @@ -0,0 +1,5 @@ + + +