diff --git a/.changeset/shy-bats-move.md b/.changeset/shy-bats-move.md new file mode 100644 index 000000000000..8089d0274fe4 --- /dev/null +++ b/.changeset/shy-bats-move.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +[fix] replace broken escaping with a working version diff --git a/packages/kit/src/runtime/server/page/load_node.js b/packages/kit/src/runtime/server/page/load_node.js index 41ae2f02c1e5..714a3e2ba462 100644 --- a/packages/kit/src/runtime/server/page/load_node.js +++ b/packages/kit/src/runtime/server/page/load_node.js @@ -1,7 +1,7 @@ import { normalize } from '../../load.js'; import { respond } from '../index.js'; import { s } from '../../../utils/misc.js'; -import { escape_json_string_in_html } from '../../../utils/escape.js'; +import { escape_json_value_in_html } from '../../../utils/escape.js'; import { is_root_relative, resolve } from '../../../utils/url.js'; import { create_prerendering_url_proxy } from './utils.js'; import { is_pojo } from '../utils.js'; @@ -257,7 +257,7 @@ export async function load_node({ fetched.push({ url: requested, body: /** @type {string} */ (opts.body), - json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":"${escape_json_string_in_html(body)}"}` + json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":"${escape_json_value_in_html(body)}"}` }); } diff --git a/packages/kit/src/utils/escape.js b/packages/kit/src/utils/escape.js index 4a52cbf83fb8..895c45570d26 100644 --- a/packages/kit/src/utils/escape.js +++ b/packages/kit/src/utils/escape.js @@ -1,5 +1,15 @@ /** @type {Record} */ const escape_json_in_html_dict = { + '&': '\\u0026', + '>': '\\u003e', + '<': '\\u003c', + '\u2028': '\\u2028', + '\u2029': '\\u2029' +}; + +/** @type {Record} */ +const escape_json_value_in_html_dict = { + '"': '\\"', '<': '\\u003C', '>': '\\u003E', '/': '\\u002F', @@ -14,53 +24,30 @@ const escape_json_in_html_dict = { '\u2029': '\\u2029' }; -/** @type {Record} */ -const escape_json_string_in_html_dict = { - '"': '\\"', - ...escape_json_in_html_dict -}; - /** * Escape a stringified JSON object that's going to be embedded in a `