Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] attribute values are incorrectly escaped during ssr #7333

Merged
merged 2 commits into from Mar 3, 2022
Merged

[fix] attribute values are incorrectly escaped during ssr #7333

merged 2 commits into from Mar 3, 2022

Conversation

mrkishi
Copy link
Member

@mrkishi mrkishi commented Mar 3, 2022

Fixes #7327 and a related security issue.

Attribute values were being JSON.stringifyed after being escaped, resulting in escaped characters like \\ and \n to show up in the HTML. The browser doesn't JSON.parse attribute values, so the attributes end up with the wrong value.

Succinctly: <el attr={'\\'}> renders <el attr="\\"> gives el.getAttribute('attr') === '\\\\'.

The security issue is that objects, on the other hand, were rendered directly to attribute values as unescaped strings. This means an object with a custom toString() can result in raw html injection.

See modified tests for more details.

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with [feat], [fix], [chore], or [docs].
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with npm test and lint the project with npm run lint

@dummdidumm dummdidumm merged commit cdd3575 into sveltejs:master Mar 3, 2022
@mrkishi mrkishi deleted the attr-ssr branch March 3, 2022 15:58
himanshiLt pushed a commit to himanshiLt/svelte that referenced this pull request Mar 3, 2022
@mrkishi @himanshiLt
[fix] attribute escaping during ssr (sveltejs#7333)
f786425 
Fixes sveltejs#7327 and a related security issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hydration Inconsistency: Escaped linebreaks in attributes
3 participants
@mrkishi @Rich-Harris @dummdidumm