[fix] escape style attribute for SSR (#8087)

src/runtime/internal/ssr.ts

@@ -205,7 +205,7 @@ export function add_classes(classes) {
 function style_object_to_string(style_object) {
 	return Object.keys(style_object)
 		.filter(key => style_object[key])
-		.map(key => `${key}: ${style_object[key]};`)
+		.map(key => `${key}: ${escape_attribute_value(style_object[key])};`)
 		.join(' ');
 }
 

test/runtime/samples/css-vars-escape/Sub.svelte

@@ -0,0 +1,7 @@
+<div>hi</div>
+
+<style>
+	div {
+		background-color: var(--color);
+	}
+</style>

test/runtime/samples/css-vars-escape/_config.js

@@ -0,0 +1,12 @@
+export default {
+	html: `
+		<div style="display: contents; --color: &quot; onload=&quot;alert('uhoh')&quot; data-nothing=&quot;not important;">
+			<div class="svelte-271qee">hi</div>
+		</div>
+	`,
+	ssrHtml: `
+		<div style="display: contents; --color:&quot; onload=&quot;alert('uhoh')&quot; data-nothing=&quot;not important;">
+			<div class="svelte-271qee">hi</div>
+		</div>
+	`
+};

test/runtime/samples/css-vars-escape/main.svelte

@@ -0,0 +1,6 @@
+<script>
+import Sub from './Sub.svelte';
+  export let attack = '" onload="alert(\'uhoh\')" data-nothing="not important';
+</script>
+
+<Sub --color={attack} />

test/runtime/samples/inline-style-directive-escape/_config.js

@@ -0,0 +1,12 @@
+export default {
+	html: `
+		<div style="--css-variable: &quot; onload=&quot;alert('uhoh')&quot; data-nothing=&quot;not important;"></div>
+	`,
+
+	test({ assert, component, target }) {
+		component.attack = '" onload="alert(\'uhoh2\')" data-nothing="not important';
+		assert.htmlEqual(target.innerHTML, `
+			<div style="--css-variable: &quot; onload=&quot;alert('uhoh2')&quot; data-nothing=&quot;not important;"></div>
+		`);
+	}
+};

test/runtime/samples/inline-style-directive-escape/main.svelte

@@ -0,0 +1,5 @@
+<script>
+  export let attack = '" onload="alert(\'uhoh\')" data-nothing="not important';
+</script>
+
+<div style:--css-variable={attack} />