[fix] attribute escaping during ssr (sveltejs#7333)

Fixes sveltejs#7327 and a related security issue
himanshiLt · Mar 3, 2022 · f786425 · f786425
1 parent cbe813f
commit f786425
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/src/runtime/internal/ssr.ts b/src/runtime/internal/ssr.ts
@@ -177,7 +177,8 @@ export function create_ssr_component(fn) {
 
 export function add_attribute(name, value, boolean) {
 	if (value == null || (boolean && !value)) return '';
-	return ` ${name}${value === true && boolean_attributes.has(name) ? '' : `=${typeof value === 'string' ? JSON.stringify(escape(value)) : `"${value}"`}`}`;
+	const assignment = (boolean && value === true) ? '' : `="${escape_attribute_value(value.toString())}"`;
+	return ` ${name}${assignment}`;
 }
 
 export function add_classes(classes) {

diff --git a/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html b/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html
@@ -1,3 +1,4 @@
 <div
-	foo="&#34;></div><script>alert(42)</script>"
-></div>
+	foo="&#34;></div>\<script>alert(42)</script>"
+	bar="&#34;></div>\<script>alert(42)</script>"
+></div>
diff --git a/test/server-side-rendering/samples/attribute-escaped-quotes/main.svelte b/test/server-side-rendering/samples/attribute-escaped-quotes/main.svelte
@@ -1,5 +1,6 @@
 <script>
-	export let foo = '"></div><script>alert(42)</' + 'script>';
+	export let foo = '"></div>\\<script>alert(42)</' + 'script>';
+	export let bar = { toString: () => '"></div>\\<script>alert(42)<\/script>' };
 </script>
 
-<div foo={foo}></div>
+<div foo={foo} bar={bar}></div>