explain the rationale for the chosen escaping implemenation in a comm…

…ent (#24389)
facebook · Apr 16, 2022 · 2bf5eba · 2bf5eba
1 parent d40dc73
commit 2bf5eba
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/packages/react-dom/src/server/ReactDOMServerFormatConfig.js b/packages/react-dom/src/server/ReactDOMServerFormatConfig.js
@@ -83,16 +83,25 @@ const startScriptSrc = stringToPrecomputedChunk('<script src="');
 const startModuleSrc = stringToPrecomputedChunk('<script type="module" src="');
 const endAsyncScript = stringToPrecomputedChunk('" async=""></script>');
 
-const scriptRegex = /(<\/|<)(s)(cript)/gi;
-const scriptReplacer = (match, prefix, s, suffix) =>
-  `${prefix}${s === 's' ? '\\u0073' : '\\u0053'}${suffix}`;
-
+/**
+ * This escaping function is designed to work with bootstrapScriptContent only.
+ * because we know we are escaping the entire script. We can avoid for instance
+ * escaping html comment string sequences that are valid javascript as well because
+ * if there are no sebsequent <script sequences the html parser will never enter
+ * script data double escaped state (see: https://www.w3.org/TR/html53/syntax.html#script-data-double-escaped-state)
+ *
+ * While untrusted script content should be made safe before using this api it will
+ * ensure that the script cannot be early terminated or never terminated state
+ */
 function escapeBootstrapScriptContent(scriptText) {
   if (__DEV__) {
     checkHtmlStringCoercion(scriptText);
   }
   return ('' + scriptText).replace(scriptRegex, scriptReplacer);
 }
+const scriptRegex = /(<\/|<)(s)(cript)/gi;
+const scriptReplacer = (match, prefix, s, suffix) =>
+  `${prefix}${s === 's' ? '\\u0073' : '\\u0053'}${suffix}`;
 
 // Allows us to keep track of what we've already written so we can refer back to it.
 export function createResponseState(