diff options
| author |  Matt Kane <m@mk.gg>
| 2025-01-20 17:06:16 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-01-20 17:06:16 +0000 |
| commit | d06518246f3e12bf9c43f9589cadcbb01e30a5e3 (patch) | |
| tree | b3f4ed9000613fd8195c5c7f00e15b9ae321ece4 | |
| parent | 3357ff649768f3c359834ffbe656cbec1a2803d4 (diff) | |
| download | astro-d06518246f3e12bf9c43f9589cadcbb01e30a5e3.tar.gz astro-d06518246f3e12bf9c43f9589cadcbb01e30a5e3.tar.zst astro-d06518246f3e12bf9c43f9589cadcbb01e30a5e3.zip | |
Revert "feat(server-islands): only encode ETAGO delimiter (#11513)" (#13013)
This reverts commit f64b73cb8aaae02c52fa438ac8361044cf67f6dc.
4 files changed, 6 insertions, 26 deletions
diff --git a/.changeset/fifty-socks-end.md b/.changeset/fifty-socks-end.md deleted file mode 100644 index 8b4476fbc..000000000 --- a/.changeset/fifty-socks-end.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -'astro': patch ---- - -Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax diff --git a/packages/astro/src/runtime/server/render/server-islands.ts b/packages/astro/src/runtime/server/render/server-islands.ts index 093254cd3..e45b1e6d4 100644 --- a/packages/astro/src/runtime/server/render/server-islands.ts +++ b/packages/astro/src/runtime/server/render/server-islands.ts @@ -15,19 +15,13 @@ export function containsServerDirective(props: Record<string | number, any>) { return 'server:component-directive' in props; } -const SCRIPT_RE = /<\/script/giu; -const COMMENT_RE = /<!--/gu; -const SCRIPT_REPLACER = '<\\/script'; -const COMMENT_REPLACER = '\\u003C!--'; - -/** - * Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag. - * @see https://mathiasbynens.be/notes/etago - */ function safeJsonStringify(obj: any) { return JSON.stringify(obj) - .replace(SCRIPT_RE, SCRIPT_REPLACER) - .replace(COMMENT_RE, COMMENT_REPLACER); + .replace(/\u2028/g, '\\u2028') + .replace(/\u2029/g, '\\u2029') + .replace(/</g, '\\u003c') + .replace(/>/g, '\\u003e') + .replace(/\//g, '\\u002f'); } function createSearchParams(componentExport: string, encryptedProps: string, slots: string) { diff --git a/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro b/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro index c97cf4718..d42973294 100644 --- a/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro +++ b/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro @@ -1,7 +1,5 @@ --- import Island from '../components/Island.astro'; - -const xssMe ="</script><script>alert('xss')</script><!--" --- <html> <head> @@ -9,6 +7,6 @@ const xssMe ="</script><script>alert('xss')</script><!--" </head> <body> <h1>Testing</h1> - <Island server:defer message={xssMe} /> + <Island server:defer /> </body> </html> diff --git a/packages/astro/test/server-islands.test.js b/packages/astro/test/server-islands.test.js index 77308d000..d47578e9c 100644 --- a/packages/astro/test/server-islands.test.js +++ b/packages/astro/test/server-islands.test.js @@ -37,13 +37,6 @@ describe('Server islands', () => { assert.equal(serverIslandEl.length, 0); }); - it('HTML escapes scripts', async () => { - const res = await fixture.fetch('/'); - assert.equal(res.status, 200); - const html = await res.text(); - assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false); - }); - it('island is not indexed', async () => { const res = await fixture.fetch('/_server-islands/Island', { method: 'POST', |