mirror of https://github.com/sveltejs/svelte
* fix: Use `devalue.uneval` to serialize `hydratable` keys * oopspull/17476/head
parent
6d90b96e99
commit
ef81048e23
@ -0,0 +1,5 @@
|
||||
---
|
||||
'svelte': patch
|
||||
---
|
||||
|
||||
fix: use `devalue.uneval` to serialize `hydratable` keys
|
||||
@ -0,0 +1,14 @@
|
||||
import { test } from '../../test';
|
||||
|
||||
export default test({
|
||||
skip_no_async: true,
|
||||
mode: ['hydrate'],
|
||||
|
||||
props: {
|
||||
key: '</script><script>throw new Error("pwned")</script>'
|
||||
},
|
||||
|
||||
async test() {
|
||||
// this test will fail when evaluating the `head` script if the vulnerability is present
|
||||
}
|
||||
});
|
||||
@ -0,0 +1,9 @@
|
||||
<script>
|
||||
import { hydratable } from "svelte";
|
||||
|
||||
const { key } = $props();
|
||||
|
||||
const value = await hydratable(key, () => Promise.resolve('safe'));
|
||||
</script>
|
||||
|
||||
<p>{value}</p>
|
||||
Loading…
Reference in new issue