Merge commit from fork

Rich-Harris · web-flow · commit d3300c6a6790 · 2025-04-14T13:37:21.000-04:00
* fix: escape names of tracked search parameters

* oops
diff --git a/.changeset/rotten-colts-arrive.md b/.changeset/rotten-colts-arrive.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: escape names of tracked search parameters
diff --git a/packages/kit/src/runtime/server/data/index.js b/packages/kit/src/runtime/server/data/index.js
@@ -2,7 +2,7 @@ import { HttpError, SvelteKitError, Redirect } from '../../control.js';
 import { normalize_error } from '../../../utils/error.js';
 import { once } from '../../../utils/functions.js';
 import { load_server_data } from '../page/load_data.js';
-import { clarify_devalue_error, handle_error_and_jsonify, stringify_uses } from '../utils.js';
+import { clarify_devalue_error, handle_error_and_jsonify, serialize_uses } from '../utils.js';
 import { normalize_path } from '../../../utils/url.js';
 import { text } from '../../../exports/index.js';
 import * as devalue from 'devalue';
@@ -253,8 +253,8 @@ export function get_data_json(event, options, nodes) {
 				return JSON.stringify(node);
 			}
 
-			return `{"type":"data","data":${devalue.stringify(node.data, reducers)},${stringify_uses(
-				node
+			return `{"type":"data","data":${devalue.stringify(node.data, reducers)},${JSON.stringify(
+				serialize_uses(node)
 			)}${node.slash ? `,"slash":${JSON.stringify(node.slash)}` : ''}}`;
 		});
 
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
@@ -7,7 +7,7 @@ import { serialize_data } from './serialize_data.js';
 import { s } from '../../../utils/misc.js';
 import { Csp } from './csp.js';
 import { uneval_action_response } from './actions.js';
-import { clarify_devalue_error, stringify_uses, handle_error_and_jsonify } from '../utils.js';
+import { clarify_devalue_error, handle_error_and_jsonify, serialize_uses } from '../utils.js';
 import { public_env, safe_public_env } from '../../shared-server.js';
 import { text } from '../../../exports/index.js';
 import { create_async_iterator } from '../../../utils/streaming.js';
@@ -646,9 +646,11 @@ function get_data(event, options, nodes, csp, global) {
 		const strings = nodes.map((node) => {
 			if (!node) return 'null';
 
-			return `{"type":"data","data":${devalue.uneval(node.data, replacer)},${stringify_uses(node)}${
-				node.slash ? `,"slash":${JSON.stringify(node.slash)}` : ''
-			}}`;
+			/** @type {any} */
+			const payload = { type: 'data', data: node.data, uses: serialize_uses(node) };
+			if (node.slash) payload.slash = node.slash;
+
+			return devalue.uneval(payload, replacer);
 		});
 
 		return {
diff --git a/packages/kit/src/runtime/server/utils.js b/packages/kit/src/runtime/server/utils.js
@@ -147,26 +147,26 @@ export function clarify_devalue_error(event, error) {
 /**
  * @param {import('types').ServerDataNode} node
  */
-export function stringify_uses(node) {
-	const uses = [];
+export function serialize_uses(node) {
+	const uses = {};
 
 	if (node.uses && node.uses.dependencies.size > 0) {
-		uses.push(`"dependencies":${JSON.stringify(Array.from(node.uses.dependencies))}`);
+		uses.dependencies = Array.from(node.uses.dependencies);
 	}
 
 	if (node.uses && node.uses.search_params.size > 0) {
-		uses.push(`"search_params":${JSON.stringify(Array.from(node.uses.search_params))}`);
+		uses.search_params = Array.from(node.uses.search_params);
 	}
 
 	if (node.uses && node.uses.params.size > 0) {
-		uses.push(`"params":${JSON.stringify(Array.from(node.uses.params))}`);
+		uses.params = Array.from(node.uses.params);
 	}
 
-	if (node.uses?.parent) uses.push('"parent":1');
-	if (node.uses?.route) uses.push('"route":1');
-	if (node.uses?.url) uses.push('"url":1');
+	if (node.uses?.parent) uses.parent = 1;
+	if (node.uses?.route) uses.route = 1;
+	if (node.uses?.url) uses.url = 1;
 
-	return `"uses":{${uses.join(',')}}`;
+	return uses;
 }
 
 /**
diff --git a/packages/kit/test/apps/basics/src/routes/xss/query-tracking/+page.server.js b/packages/kit/test/apps/basics/src/routes/xss/query-tracking/+page.server.js
@@ -0,0 +1,11 @@
+export function load({ url }) {
+	const values = {};
+
+	for (const key of url.searchParams.keys()) {
+		values[key] = url.searchParams.get(key);
+	}
+
+	return {
+		values
+	};
+}
diff --git a/packages/kit/test/apps/basics/src/routes/xss/query-tracking/+page.svelte b/packages/kit/test/apps/basics/src/routes/xss/query-tracking/+page.svelte
@@ -0,0 +1 @@
+<p>check window.pwned</p>
diff --git a/packages/kit/test/apps/basics/test/cross-platform/test.js b/packages/kit/test/apps/basics/test/cross-platform/test.js
@@ -1049,6 +1049,14 @@ test.describe('XSS', () => {
 			'user.name is </script><script>window.pwned = 1</script>'
 		);
 	});
+
+	test('no xss via tracked search parameters', async ({ page }) => {
+		// https://github.com/sveltejs/kit/security/advisories/GHSA-6q87-84jw-cjhp
+		await page.goto('/xss/query-tracking?</script/><script>window.pwned%3D1</script/>');
+
+		// @ts-expect-error - check global injected variable
+		expect(await page.evaluate(() => window.pwned)).toBeUndefined();
+	});
 });
 
 test.describe('$app/server', () => {
