mirrors/astro
1
0
Fork 0
mirror of https://github.com/withastro/astro.git synced 2025-01-22 10:31:53 -05:00
Code Issues Projects Releases Packages Wiki Activity

Revert "feat(server-islands): only encode ETAGO delimiter (#11513)" (#13013)

Browse source 
This reverts commit f64b73cb8a.
This commit is contained in:
Matt Kane 2025-01-20 17:06:16 +00:00 committed by GitHub
parent 3357ff6497
commit d06518246f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 6 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.changeset/fifty-socks-end.md
View file

@ -1,5 +0,0 @@
---
'astro': patch
---
Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax

16
packages/astro/src/runtime/server/render/server-islands.ts
View file

@ -15,19 +15,13 @@ export function containsServerDirective(props: Record<string | number, any>) {
return 'server:component-directive' in props;
}
const SCRIPT_RE = /<\/script/giu;
const COMMENT_RE = /<!--/gu;
const SCRIPT_REPLACER = '<\\/script';
const COMMENT_REPLACER = '\\u003C!--';
/**
* Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag.
* @see https://mathiasbynens.be/notes/etago
*/
function safeJsonStringify(obj: any) {
return JSON.stringify(obj)
.replace(SCRIPT_RE, SCRIPT_REPLACER)
.replace(COMMENT_RE, COMMENT_REPLACER);
.replace(/\u2028/g, '\\u2028')
.replace(/\u2029/g, '\\u2029')
.replace(/</g, '\\u003c')
.replace(/>/g, '\\u003e')
.replace(/\//g, '\\u002f');
}
function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {

4
packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro vendored
View file

@ -1,7 +1,5 @@
---
import Island from '../components/Island.astro';
const xssMe ="</script><script>alert('xss')</script><!--"
---
<html>
<head>
@ -9,6 +7,6 @@ const xssMe ="</script><script>alert('xss')</script><!--"
</head>
<body>
<h1>Testing</h1>
<Island server:defer message={xssMe} />
<Island server:defer />
</body>
</html>

7
packages/astro/test/server-islands.test.js
View file

@ -37,13 +37,6 @@ describe('Server islands', () => {
assert.equal(serverIslandEl.length, 0);
});
it('HTML escapes scripts', async () => {
const res = await fixture.fetch('/');
assert.equal(res.status, 200);
const html = await res.text();
assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false);
});
it('island is not indexed', async () => {
const res = await fixture.fetch('/_server-islands/Island', {
method: 'POST',