[fix] harden attribute escaping during ssr (#7530)

2 years ago · f8605d6acb
parent 9635a2e413
commit f8605d6acb
3 changed files with 23 additions and 10 deletions
--- a/src/runtime/internal/ssr.ts
+++ b/src/runtime/internal/ssr.ts
@ -85,18 +85,20 @@ export function escape(value: unknown, is_attr = false) {
 	let escaped = '';
 	let last = 0;
-  while (pattern.test(str)) {
+	while (pattern.test(str)) {
-    const i = pattern.lastIndex - 1;
+		const i = pattern.lastIndex - 1;
-    const ch = str[i];
+		const ch = str[i];
-    escaped += str.substring(last, i) + (ch === '&' ? '&amp;' : (ch === '"' ? '&quot;' : '&lt;'));
+		escaped += str.substring(last, i) + (ch === '&' ? '&amp;' : (ch === '"' ? '&quot;' : '&lt;'));
-    last = i + 1;
+		last = i + 1;
-  }
+	}
 	return escaped + str.substring(last);
 }
 export function escape_attribute_value(value) {
-	return typeof value === 'string' ? escape(value, true) : value;
+	// keep booleans, null, and undefined for the sake of `spread`
 	const should_escape = typeof value === 'string' || (value && typeof value === 'object');
 	return should_escape ? escape(value, true) : value;
 }
 export function escape_object(obj) {
@ -192,7 +194,7 @@ export function create_ssr_component(fn) {
 export function add_attribute(name, value, boolean) {
 	if (value == null || (boolean && !value)) return '';
-	const assignment = (boolean && value === true) ? '' : `="${escape_attribute_value(value.toString())}"`;
+	const assignment = (boolean && value === true) ? '' : `="${escape(value, true)}"`;
 	return ` ${name}${assignment}`;
 }
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
@ -2,4 +2,10 @@
 	bar="'></div><script>alert(42)</script>"
 	foo="&quot;></div><script>alert(42)</script>"
 	qux="&amp;&amp;&amp;"
-></div>
+	quux="&quot;><script>alert(42)</script>"
 ></div>
 <div
 	foo="foo"
 	unsafe="&quot;><script>alert(42)</script>"
 ></div>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.svelte
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.svelte
@ -1,10 +1,15 @@
 <script>
 	const safe = { foo: 'foo' };
 	const unsafe = { toString: () => '"><script>alert(42)<\/script>' };
 	export let props = {
 		foo: '"></div><script>alert(42)</' + 'script>',
 		bar: "'></div><script>alert(42)</" + 'script>',
 		['"></div><script>alert(42)</' + 'script>']: 'baz',
 		qux: '&&&',
 		quux: unsafe
 	};
 </script>
-<div {...props}></div>
+<div {...props}></div>
 <div {...safe} {unsafe}></div>