[fix] attribute values are incorrectly escaped during ssr #7333
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #7327 and a related security issue.
Attribute values were being
JSON.stringify
ed after being escaped, resulting in escaped characters like\\
and\n
to show up in the HTML. The browser doesn'tJSON.parse
attribute values, so the attributes end up with the wrong value.Succinctly:
<el attr={'\\'}>
renders<el attr="\\">
givesel.getAttribute('attr') === '\\\\'
.The security issue is that objects, on the other hand, were rendered directly to attribute values as unescaped strings. This means an object with a custom
toString()
can result in raw html injection.See modified tests for more details.
Before submitting the PR, please make sure you do the following
[feat]
,[fix]
,[chore]
, or[docs]
.Tests
npm test
and lint the project withnpm run lint