From c481c8d2b302d9769c92aff699725d11e3531c70 Mon Sep 17 00:00:00 2001 From: Conduitry Date: Tue, 6 Feb 2018 21:01:40 -0500 Subject: [PATCH] escape attribute values in SSR --- .../visitors/shared/stringifyAttributeValue.ts | 2 +- test/runtime/samples/attribute-dynamic-quotemarks/_config.js | 3 +++ test/runtime/samples/attribute-dynamic-quotemarks/main.html | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 test/runtime/samples/attribute-dynamic-quotemarks/_config.js create mode 100644 test/runtime/samples/attribute-dynamic-quotemarks/main.html diff --git a/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts b/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts index 22eb0eff76..d2df80beab 100644 --- a/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts +++ b/src/generators/server-side-rendering/visitors/shared/stringifyAttributeValue.ts @@ -11,7 +11,7 @@ export default function stringifyAttributeValue(block: Block, chunks: Node[]) { block.contextualise(chunk.expression); const { snippet } = chunk.metadata; - return '${' + snippet + '}'; + return '${__escape(' + snippet + ')}'; }) .join(''); } \ No newline at end of file diff --git a/test/runtime/samples/attribute-dynamic-quotemarks/_config.js b/test/runtime/samples/attribute-dynamic-quotemarks/_config.js new file mode 100644 index 0000000000..b9f4364624 --- /dev/null +++ b/test/runtime/samples/attribute-dynamic-quotemarks/_config.js @@ -0,0 +1,3 @@ +export default { + html: `foo` +}; diff --git a/test/runtime/samples/attribute-dynamic-quotemarks/main.html b/test/runtime/samples/attribute-dynamic-quotemarks/main.html new file mode 100644 index 0000000000..b5c3be5bbd --- /dev/null +++ b/test/runtime/samples/attribute-dynamic-quotemarks/main.html @@ -0,0 +1 @@ +foo