msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

Merge pull request from GHSA-gw32-9rmw-qwww

Browse Source 
* rename previous test

* add new <textarea bind:value> test

* escape value in <textarea bind:value>

---------

Co-authored-by: Conduitry <git@chor.date>
version-3
Simon H 2 years ago committed by GitHub
parent 3bc791bcba
commit a31dec5eb3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
src/compiler/compile/render_ssr/handlers/Element.ts
Unescape View File

@ -149,7 +149,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
// value = name === 'textContent' ? x`@escape($$value)` : x`$$value`;
} else if (binding.name === 'value' && node.name === 'textarea') {
const snippet = expression.node;
node_contents = x`${snippet} || ""`;
node_contents = x`@escape(${snippet} || "")`;
} else if (binding.name === 'value' && node.name === 'select') {
// NOTE: do not add "value" attribute on <select />
} else {

0
test/runtime/samples/attribute-escape/_config.js → test/runtime/samples/textarea-bind-value-escape/_config.js
Unescape View File

5
test/runtime/samples/textarea-bind-value-escape/main.svelte
Unescape View File

@ -0,0 +1,5 @@
<script>
let value = `test'"></textarea><script>alert('BIM');</` + `script>`;
</script>
<textarea bind:value />

4
test/runtime/samples/textarea-value-escape/_config.js
Unescape View File

@ -0,0 +1,4 @@
export default {
html: '<textarea></textarea>',
ssrHtml: '<textarea>test\'"&gt;&lt;/textarea&gt;&lt;script&gt;alert(\'BIM\');&lt;/script&gt;</textarea>'
};

0
test/runtime/samples/attribute-escape/main.svelte → test/runtime/samples/textarea-value-escape/main.svelte
Unescape View File

Write Preview
Loading…
Cancel
Save