msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
* fix: strip event handlers during SSR

* whatever conduitry you're not that cool

* tweak
pull/17741/head
Elliott Johnson 2 months ago committed by GitHub
parent 73098bb26c
commit a0c7f28915
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File

5
.changeset/chilly-comics-wear.md
Unescape View File

@ -0,0 +1,5 @@
---
'svelte': patch
---
fix: strip event handlers during SSR

3
packages/svelte/src/internal/server/index.js
Unescape View File

@ -158,6 +158,9 @@ export function attributes(attrs, css_hash, classes, styles, flags = 0) {
name = name.toLowerCase();
}
// omit event handler attributes
if (name.length > 2 && name.startsWith('on')) continue;
if (is_input) {
if (name === 'defaultvalue' || name === 'defaultchecked') {
name = name === 'defaultvalue' ? 'value' : 'checked';

3
packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/_expected.html
Unescape View File

@ -0,0 +1,3 @@
<div id="profile-123" class="card">content</div>
<img src="x" alt="photo" />

13
packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte
Unescape View File

@ -0,0 +1,13 @@
<script>
const userdata = {
id: 'profile-123',
class: 'card',
onclick: 'alert(1)',
onerror: 'alert(1)',
onfocus: 'alert(1)',
onmouseover: 'alert(1)'
};
</script>
<div {...userdata}>content</div>
<img src="x" alt="photo" {...{ onerror: 'alert(1)', onload: 'alert(1)' }} />
Write Preview
Loading…
Cancel
Save