File tree 6 files changed +48
-2
lines changed
test/server-side-rendering/samples
attribute-escaped-quotes-spread
6 files changed +48
-2
lines changed Original file line number Diff line number Diff line change @@ -310,7 +310,7 @@ export default class Compiler {
310310 : `_svelteTransitionManager` ;
311311
312312 inlineHelpers += `\n\nvar ${ this . alias ( name ) } ${ global } ${ global } ${ code } ;
313- } else if ( name === 'escaped' || name === 'missingComponent' ) {
313+ } else if ( name === 'escaped' || name === 'missingComponent' || name === 'invalidAttributeNameCharacter' ) {
314314 // vars are an awkward special case... would be nice to avoid this
315315 const alias = this . alias ( name ) ;
316316 inlineHelpers += `\n\nconst ${ alias } ${ code }
Original file line number Diff line number Diff line change 1+ // https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
2+ // https://infra.spec.whatwg.org/#noncharacter
3+ export const invalidAttributeNameCharacter = / [ \s ' " < \/ = \u{FDD0} - \u{FDEF} \u{FFFE} \u{FFFF} \u{1FFFE} \u{1FFFF} \u{2FFFE} \u{2FFFF} \u{3FFFE} \u{3FFFF} \u{4FFFE} \u{4FFFF} \u{5FFFE} \u{5FFFF} \u{6FFFE} \u{6FFFF} \u{7FFFE} \u{7FFFF} \u{8FFFE} \u{8FFFF} \u{9FFFE} \u{9FFFF} \u{AFFFE} \u{AFFFF} \u{BFFFE} \u{BFFFF} \u{CFFFE} \u{CFFFF} \u{DFFFE} \u{DFFFF} \u{EFFFE} \u{EFFFF} \u{FFFFE} \u{FFFFF} \u{10FFFE} \u{10FFFF} ] / u;
4+
15export function spread ( args ) {
26 const attributes = Object . assign ( { } , ...args ) ;
37 let str = '' ;
48
59 Object . keys ( attributes ) . forEach ( name => {
10+ if ( invalidAttributeNameCharacter . test ( name ) ) return ;
11+
612 const value = attributes [ name ] ;
713 if ( value === undefined ) return ;
814 if ( value === true ) str += " " + name ;
9- str += " " + name + "=" + JSON . stringify ( value ) ;
15+
16+ const escaped = String ( value )
17+ . replace ( / " / g, '"' )
18+ . replace ( / ' / g, ''' ) ;
19+
20+ str += " " + name + "=" + JSON . stringify ( escaped ) ;
1021 } ) ;
1122
1223 return str ;
Original file line number Diff line number Diff line change 1+ < div
2+ foo =""></div><script>alert(42)</script> "
3+ bar ="'></div><script>alert(42)</script> "
4+ > </ div >
Original file line number Diff line number Diff line change 1+ < div {...props} > </ div >
2+
3+ < script >
4+
5+ export default {
6+ data ( ) {
7+ return {
8+ props : {
9+ foo : '"></div><script>alert(42)</' + 'script>' ,
10+ bar : "'></div><script>alert(42)</" + 'script>' ,
11+ [ '"></div><script>alert(42)</' + 'script>' ] : 'baz'
12+ }
13+ } ;
14+ }
15+ } ;
16+ </ script >
Original file line number Diff line number Diff line change 1+ < div
2+ foo =""></div><script>alert(42)</script> "
3+ > </ div >
Original file line number Diff line number Diff line change 1+ < div foo ={foo} > </ div >
2+
3+ < script >
4+
5+ export default {
6+ data ( ) {
7+ return {
8+ foo : '"></div><script>alert(42)</' + 'script>'
9+ } ;
10+ }
11+ } ;
12+ </ script >
You can’t perform that action at this time.
0 commit comments