mirror of https://github.com/sveltejs/svelte
[fix] harden attribute escaping during ssr (#7530)
parent
9635a2e413
commit
f8605d6acb
@ -1,10 +1,15 @@
|
||||
<script>
|
||||
const safe = { foo: 'foo' };
|
||||
const unsafe = { toString: () => '"><script>alert(42)<\/script>' };
|
||||
|
||||
export let props = {
|
||||
foo: '"></div><script>alert(42)</' + 'script>',
|
||||
bar: "'></div><script>alert(42)</" + 'script>',
|
||||
['"></div><script>alert(42)</' + 'script>']: 'baz',
|
||||
qux: '&&&',
|
||||
quux: unsafe
|
||||
};
|
||||
</script>
|
||||
|
||||
<div {...props}></div>
|
||||
<div {...props}></div>
|
||||
<div {...safe} {unsafe}></div>
|
||||
|
Loading…
Reference in new issue