Fix an XSS in Server Islands. (#11508) - astro - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Malte Ubl <cramforce@users.noreply.github.com>	2024-07-19 07:02:14 -0700
committer	GitHub <noreply@github.com>	2024-07-19 15:02:14 +0100
commit	ca335e1dc09bc83d3f8f5b9dd54f116bcb4881e4 (patch)
tree	fd7d49f04a5dc1a03c506c65d7d64e80a4047233 /examples/basics
parent	026e8baf3323e99f96530999fd32a0a9b305854d (diff)
download	astro-ca335e1dc09bc83d3f8f5b9dd54f116bcb4881e4.tar.gz astro-ca335e1dc09bc83d3f8f5b9dd54f116bcb4881e4.tar.zst astro-ca335e1dc09bc83d3f8f5b9dd54f116bcb4881e4.zip

Fix an XSS in Server Islands. (#11508)

* Fix an XSS in Server Islands. Discussed with @FredKSchott that this is OK to disclose since Server Islands are still experimental. It's generally not safe to use `JSON.stringify` to interpolate potentially attacker controlled data into `<script>` tags as JSON doesn't escape `<>"'` and so one can use it to break out of the script tag and e.g. make a new one with controlled content. See https://pragmaticwebsecurity.com/articles/spasecurity/json-stringify-xss * Format * Create smart-snakes-promise.md * Switch to manual encoding --------- Co-authored-by: Matt Kane <m@mk.gg>

Diffstat (limited to 'examples/basics')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: