mirror of
https://github.com/withastro/astro.git
synced 2025-01-22 10:31:53 -05:00
This commit is contained in:
Florian Lefebvre
GitHub
parent
8911bdacab
commit
f5765196e9
5 changed files with 40 additions and 8 deletions
5
.changeset/fifty-socks-end.md
Normal file
5
.changeset/fifty-socks-end.md
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
'astro': patch
|
||||||
|
---
|
||||||
|
|
||||||
|
Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax
|
||||||
|
|
@ -15,13 +15,19 @@ export function containsServerDirective(props: Record<string | number, any>) {
|
||||||
return 'server:component-directive' in props;
|
return 'server:component-directive' in props;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const SCRIPT_RE = /<\/script/giu;
|
||||||
|
const COMMENT_RE = /<!--/gu;
|
||||||
|
const SCRIPT_REPLACER = '<\\/script';
|
||||||
|
const COMMENT_REPLACER = '\\u003C!--';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag.
|
||||||
|
* @see https://mathiasbynens.be/notes/etago
|
||||||
|
*/
|
||||||
function safeJsonStringify(obj: any) {
|
function safeJsonStringify(obj: any) {
|
||||||
return JSON.stringify(obj)
|
return JSON.stringify(obj)
|
||||||
.replace(/\u2028/g, '\\u2028')
|
.replace(SCRIPT_RE, SCRIPT_REPLACER)
|
||||||
.replace(/\u2029/g, '\\u2029')
|
.replace(COMMENT_RE, COMMENT_REPLACER);
|
||||||
.replace(/</g, '\\u003c')
|
|
||||||
.replace(/>/g, '\\u003e')
|
|
||||||
.replace(/\//g, '\\u002f');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {
|
function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {
|
||||||
|
|
|
||||||
12
packages/astro/test/fixtures/server-islands/ssr/src/pages/empty-props.astro
vendored
Normal file
12
packages/astro/test/fixtures/server-islands/ssr/src/pages/empty-props.astro
vendored
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
import Island from '../components/Island.astro';
|
||||||
|
---
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Testing</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Testing</h1>
|
||||||
|
<Island server:defer />
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
@ -1,5 +1,7 @@
|
||||||
---
|
---
|
||||||
import Island from '../components/Island.astro';
|
import Island from '../components/Island.astro';
|
||||||
|
|
||||||
|
const xssMe ="</script><script>alert('xss')</script><!--"
|
||||||
---
|
---
|
||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
|
|
@ -7,6 +9,6 @@ import Island from '../components/Island.astro';
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<h1>Testing</h1>
|
<h1>Testing</h1>
|
||||||
<Island server:defer />
|
<Island server:defer message={xssMe} />
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,13 @@ describe('Server islands', () => {
|
||||||
assert.equal(serverIslandEl.length, 0);
|
assert.equal(serverIslandEl.length, 0);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('HTML escapes scripts', async () => {
|
||||||
|
const res = await fixture.fetch('/');
|
||||||
|
assert.equal(res.status, 200);
|
||||||
|
const html = await res.text();
|
||||||
|
assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false);
|
||||||
|
});
|
||||||
|
|
||||||
it('island is not indexed', async () => {
|
it('island is not indexed', async () => {
|
||||||
const res = await fixture.fetch('/_server-islands/Island', {
|
const res = await fixture.fetch('/_server-islands/Island', {
|
||||||
method: 'POST',
|
method: 'POST',
|
||||||
|
|
@ -62,7 +69,7 @@ describe('Server islands', () => {
|
||||||
assert.equal(works, 'true', 'able to set header from server island');
|
assert.equal(works, 'true', 'able to set header from server island');
|
||||||
});
|
});
|
||||||
it('omits empty props from the query string', async () => {
|
it('omits empty props from the query string', async () => {
|
||||||
const res = await fixture.fetch('/');
|
const res = await fixture.fetch('/empty-props');
|
||||||
assert.equal(res.status, 200);
|
assert.equal(res.status, 200);
|
||||||
const html = await res.text();
|
const html = await res.text();
|
||||||
const fetchMatch = html.match(/fetch\('\/_server-islands\/Island\?[^']*p=([^&']*)/);
|
const fetchMatch = html.match(/fetch\('\/_server-islands\/Island\?[^']*p=([^&']*)/);
|
||||||
|
|
@ -135,7 +142,7 @@ describe('Server islands', () => {
|
||||||
});
|
});
|
||||||
it('omits empty props from the query string', async () => {
|
it('omits empty props from the query string', async () => {
|
||||||
const app = await fixture.loadTestAdapterApp();
|
const app = await fixture.loadTestAdapterApp();
|
||||||
const request = new Request('http://example.com/');
|
const request = new Request('http://example.com/empty-props');
|
||||||
const response = await app.render(request);
|
const response = await app.render(request);
|
||||||
assert.equal(response.status, 200);
|
assert.equal(response.status, 200);
|
||||||
const html = await response.text();
|
const html = await response.text();
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue