From 3bc791bcba97f0810165c7a2e215563993a0989b Mon Sep 17 00:00:00 2001
From: Dominik G <dominik.goepel@gmx.de>
Date: Tue, 9 May 2023 20:01:56 +0200
Subject: [PATCH 1/3] feat: add workflow to trigger ecosystem-ci from svelte
 PRs (#8571)

---
 .github/workflows/ecosystem-ci-trigger.yml | 93 ++++++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 .github/workflows/ecosystem-ci-trigger.yml

diff --git a/.github/workflows/ecosystem-ci-trigger.yml b/.github/workflows/ecosystem-ci-trigger.yml
new file mode 100644
index 0000000000..952f83a861
--- /dev/null
+++ b/.github/workflows/ecosystem-ci-trigger.yml
@@ -0,0 +1,93 @@
+name: ecosystem-ci trigger
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+    if: github.repository == 'sveltejs/svelte' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/ecosystem-ci run')
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          script: |
+            const user = context.payload.sender.login
+            console.log(`Validate user: ${user}`)
+
+            let hasTriagePermission = false
+            try {
+              const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: user,
+              });
+              hasTriagePermission = data.user.permissions.triage
+            } catch (e) {
+              console.warn(e)
+            }
+
+            if (hasTriagePermission) {
+              console.log('Allowed')
+              await github.rest.reactions.createForIssueComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: context.payload.comment.id,
+                content: '+1',
+              })
+            } else {
+              console.log('Not allowed')
+              await github.rest.reactions.createForIssueComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: context.payload.comment.id,
+                content: '-1',
+              })
+              throw new Error('not allowed')
+            }
+      - uses: actions/github-script@v6
+        id: get-pr-data
+        with:
+          script: |
+            console.log(`Get PR info: ${context.repo.owner}/${context.repo.repo}#${context.issue.number}`)
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number
+            })
+            return {
+              num: context.issue.number,
+              branchName: pr.head.ref,
+              repo: pr.head.repo.full_name
+            }
+      - id: generate-token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92  #keep pinned for security reasons, currently 1.8.0
+        with:
+          app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
+          private_key: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_PRIVATE_KEY }}
+          repository: "${{ github.repository_owner }}/svelte-ecosystem-ci"
+      - uses: actions/github-script@v6
+        id: trigger
+        env:
+          COMMENT: ${{ github.event.comment.body }}
+        with:
+          github-token: ${{ steps.generate-token.outputs.token }}
+          result-encoding: string
+          script: |
+            const comment = process.env.COMMENT.trim()
+            const prData = ${{ steps.get-pr-data.outputs.result }}
+
+            const suite = comment.split('\n')[0].replace(/^\/ecosystem-ci run/, '').trim()
+
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: 'svelte-ecosystem-ci',
+              workflow_id: 'ecosystem-ci-from-pr.yml',
+              ref: 'main',
+              inputs: {
+                prNumber: '' + prData.num,
+                branchName: prData.branchName,
+                repo: prData.repo,
+                suite: suite === '' ? '-' : suite
+              }
+            })

From a31dec5eb30978cff7ff4d77f4bf316841f711bc Mon Sep 17 00:00:00 2001
From: Simon H <5968653+dummdidumm@users.noreply.github.com>
Date: Tue, 20 Jun 2023 17:45:53 +0200
Subject: [PATCH 2/3] Merge pull request from GHSA-gw32-9rmw-qwww

* rename previous test

* add new <textarea bind:value> test

* escape value in <textarea bind:value>

---------

Co-authored-by: Conduitry <git@chor.date>
---
 src/compiler/compile/render_ssr/handlers/Element.ts          | 2 +-
 .../_config.js                                               | 0
 test/runtime/samples/textarea-bind-value-escape/main.svelte  | 5 +++++
 test/runtime/samples/textarea-value-escape/_config.js        | 4 ++++
 .../{attribute-escape => textarea-value-escape}/main.svelte  | 0
 5 files changed, 10 insertions(+), 1 deletion(-)
 rename test/runtime/samples/{attribute-escape => textarea-bind-value-escape}/_config.js (100%)
 create mode 100644 test/runtime/samples/textarea-bind-value-escape/main.svelte
 create mode 100644 test/runtime/samples/textarea-value-escape/_config.js
 rename test/runtime/samples/{attribute-escape => textarea-value-escape}/main.svelte (100%)

diff --git a/src/compiler/compile/render_ssr/handlers/Element.ts b/src/compiler/compile/render_ssr/handlers/Element.ts
index d9254a7b86..41e862345a 100644
--- a/src/compiler/compile/render_ssr/handlers/Element.ts
+++ b/src/compiler/compile/render_ssr/handlers/Element.ts
@@ -149,7 +149,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
 			// value = name === 'textContent' ? x`@escape($$value)` : x`$$value`;
 		} else if (binding.name === 'value' && node.name === 'textarea') {
 			const snippet = expression.node;
-			node_contents = x`${snippet} || ""`;
+			node_contents = x`@escape(${snippet} || "")`;
 		} else if (binding.name === 'value' && node.name === 'select') {
 			// NOTE: do not add "value" attribute on <select />
 		} else {
diff --git a/test/runtime/samples/attribute-escape/_config.js b/test/runtime/samples/textarea-bind-value-escape/_config.js
similarity index 100%
rename from test/runtime/samples/attribute-escape/_config.js
rename to test/runtime/samples/textarea-bind-value-escape/_config.js
diff --git a/test/runtime/samples/textarea-bind-value-escape/main.svelte b/test/runtime/samples/textarea-bind-value-escape/main.svelte
new file mode 100644
index 0000000000..7bca8b8f58
--- /dev/null
+++ b/test/runtime/samples/textarea-bind-value-escape/main.svelte
@@ -0,0 +1,5 @@
+<script>
+	let value = `test'"></textarea><script>alert('BIM');</` + `script>`;
+</script>
+
+<textarea bind:value />
diff --git a/test/runtime/samples/textarea-value-escape/_config.js b/test/runtime/samples/textarea-value-escape/_config.js
new file mode 100644
index 0000000000..25313f01dc
--- /dev/null
+++ b/test/runtime/samples/textarea-value-escape/_config.js
@@ -0,0 +1,4 @@
+export default {
+	html: '<textarea></textarea>',
+	ssrHtml: '<textarea>test\'"&gt;&lt;/textarea&gt;&lt;script&gt;alert(\'BIM\');&lt;/script&gt;</textarea>'
+};
diff --git a/test/runtime/samples/attribute-escape/main.svelte b/test/runtime/samples/textarea-value-escape/main.svelte
similarity index 100%
rename from test/runtime/samples/attribute-escape/main.svelte
rename to test/runtime/samples/textarea-value-escape/main.svelte

From 06553d9b0927bcd9016842abef749a226b86dd9e Mon Sep 17 00:00:00 2001
From: Conduitry <git@chor.date>
Date: Tue, 20 Jun 2023 12:33:27 -0400
Subject: [PATCH 3/3] -> v3.59.2

---
 CHANGELOG.md      | 4 ++++
 package-lock.json | 4 ++--
 package.json      | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f256d32448..753e960b6d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Svelte changelog
 
+## 3.59.2
+
+* Fix escaping `<textarea bind:value={...}>` values in SSR
+
 ## 3.59.1
 
 * Handle dynamic values in `a11y-autocomplete-valid` ([#8567](https://github.com/sveltejs/svelte/pull/8567))
diff --git a/package-lock.json b/package-lock.json
index 2f2023228c..ef3d278dd8 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "svelte",
-  "version": "3.59.1",
+  "version": "3.59.2",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "svelte",
-      "version": "3.59.1",
+      "version": "3.59.2",
       "license": "MIT",
       "devDependencies": {
         "@ampproject/remapping": "^0.3.0",
diff --git a/package.json b/package.json
index bf72a9a6e2..33f44d49f1 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "svelte",
-  "version": "3.59.1",
+  "version": "3.59.2",
   "description": "Cybernetically enhanced web apps",
   "module": "index.mjs",
   "main": "index",