Co-authored-by: Conduitry <git@chor.date>
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
pull/7533/head
Rich Harris 3 years ago committed by GitHub
parent 34eb6efedc
commit e7a2350550
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -9,7 +9,7 @@ export function get_class_attribute_value(attribute: Attribute): ESTreeExpressio
// handle special case — `class={possiblyUndefined}` with scoped CSS // handle special case — `class={possiblyUndefined}` with scoped CSS
if (attribute.chunks.length === 2 && (attribute.chunks[1] as Text).synthetic) { if (attribute.chunks.length === 2 && (attribute.chunks[1] as Text).synthetic) {
const value = (attribute.chunks[0] as Expression).node; const value = (attribute.chunks[0] as Expression).node;
return x`@escape(@null_to_empty(${value})) + "${(attribute.chunks[1] as Text).data}"`; return x`@escape(@null_to_empty(${value}), true) + "${(attribute.chunks[1] as Text).data}"`;
} }
return get_attribute_value(attribute); return get_attribute_value(attribute);
@ -22,7 +22,7 @@ export function get_attribute_value(attribute: Attribute): ESTreeExpression {
.map((chunk) => { .map((chunk) => {
return chunk.type === 'Text' return chunk.type === 'Text'
? string_literal(chunk.data.replace(/"/g, '&quot;')) as ESTreeExpression ? string_literal(chunk.data.replace(/"/g, '&quot;')) as ESTreeExpression
: x`@escape(${chunk.node})`; : x`@escape(${chunk.node}, true)`;
}) })
.reduce((lhs, rhs) => x`${lhs} + ${rhs}`); .reduce((lhs, rhs) => x`${lhs} + ${rhs}`);
} }

@ -69,20 +69,34 @@ export function merge_ssr_styles(style_attribute, style_directive) {
return style_object; return style_object;
} }
export const escaped = { const ATTR_REGEX = /[&"]/g;
'"': '&quot;', const CONTENT_REGEX = /[&<]/g;
"'": '&#39;',
'&': '&amp;', /**
'<': '&lt;', * Note: this method is performance sensitive and has been optimized
'>': '&gt;' * https://github.com/sveltejs/svelte/pull/5701
}; */
export function escape(value: unknown, is_attr = false) {
export function escape(html) { const str = String(value);
return String(html).replace(/["'&<>]/g, match => escaped[match]);
const pattern = is_attr ? ATTR_REGEX : CONTENT_REGEX;
pattern.lastIndex = 0;
let escaped = '';
let last = 0;
while (pattern.test(str)) {
const i = pattern.lastIndex - 1;
const ch = str[i];
escaped += str.substring(last, i) + (ch === '&' ? '&amp;' : (ch === '"' ? '&quot;' : '&lt;'));
last = i + 1;
}
return escaped + str.substring(last);
} }
export function escape_attribute_value(value) { export function escape_attribute_value(value) {
return typeof value === 'string' ? escape(value) : value; return typeof value === 'string' ? escape(value, true) : value;
} }
export function escape_object(obj) { export function escape_object(obj) {

Loading…
Cancel
Save