From 44d65952e09be9b4954a724e3d52ef7e78e41c39 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Feb 2022 22:29:26 +0100
Subject: [PATCH 1/6] refactor: combine JSON.stringify and character escapes in
 one function that takes a JSONValue

---
 .../kit/src/runtime/server/page/load_node.js  |  4 +-
 .../kit/src/runtime/server/page/render.js     |  2 +-
 packages/kit/src/utils/escape.js              | 46 ++++---------------
 3 files changed, 11 insertions(+), 41 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/load_node.js b/packages/kit/src/runtime/server/page/load_node.js
index 714a3e2ba462..014e743423e5 100644
--- a/packages/kit/src/runtime/server/page/load_node.js
+++ b/packages/kit/src/runtime/server/page/load_node.js
@@ -1,7 +1,7 @@
 import { normalize } from '../../load.js';
 import { respond } from '../index.js';
 import { s } from '../../../utils/misc.js';
-import { escape_json_value_in_html } from '../../../utils/escape.js';
+import {escape_json_in_html} from '../../../utils/escape.js';
 import { is_root_relative, resolve } from '../../../utils/url.js';
 import { create_prerendering_url_proxy } from './utils.js';
 import { is_pojo } from '../utils.js';
@@ -257,7 +257,7 @@ export async function load_node({
 								fetched.push({
 									url: requested,
 									body: /** @type {string} */ (opts.body),
-									json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":"${escape_json_value_in_html(body)}"}`
+									json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
 								});
 							}
 
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
index 67891e389f6c..361510bafeb7 100644
--- a/packages/kit/src/runtime/server/page/render.js
+++ b/packages/kit/src/runtime/server/page/render.js
@@ -261,7 +261,7 @@ export async function render_response({
 
 			if (shadow_props) {
 				// prettier-ignore
-				body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(s(shadow_props))}</script>`;
+				body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(shadow_props)}</script>`;
 			}
 		}
 
diff --git a/packages/kit/src/utils/escape.js b/packages/kit/src/utils/escape.js
index 895c45570d26..8682969ba179 100644
--- a/packages/kit/src/utils/escape.js
+++ b/packages/kit/src/utils/escape.js
@@ -1,50 +1,20 @@
+// dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
+// code licensed under the New BSD License.
 /** @type {Record<string, string>} */
 const escape_json_in_html_dict = {
-	'&': '\\u0026',
-	'>': '\\u003e',
-	'<': '\\u003c',
-	'\u2028': '\\u2028',
-	'\u2029': '\\u2029'
-};
-
-/** @type {Record<string, string>} */
-const escape_json_value_in_html_dict = {
-	'"': '\\"',
-	'<': '\\u003C',
-	'>': '\\u003E',
-	'/': '\\u002F',
-	'\\': '\\\\',
-	'\b': '\\b',
-	'\f': '\\f',
-	'\n': '\\n',
-	'\r': '\\r',
-	'\t': '\\t',
-	'\0': '\\0',
+	'<'     : '\\u003C',
+	'>'     : '\\u003E',
+	'/'     : '\\u002F',
 	'\u2028': '\\u2028',
 	'\u2029': '\\u2029'
 };
 
 /**
  * Escape a stringified JSON object that's going to be embedded in a `<script>` tag
- * @param {string} str
- */
-export function escape_json_in_html(str) {
-	// adapted from https://github.com/vercel/next.js/blob/694407450638b037673c6d714bfe4126aeded740/packages/next/server/htmlescape.ts
-	// based on https://github.com/zertosh/htmlescape
-	// License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE
-	return str.replace(/[&><\u2028\u2029]/g, (match) => escape_json_in_html_dict[match]);
-}
-
-/**
- * Escape a string JSON value to be embedded into a `<script>` tag
- * @param {string} str
+ * @param {import("@sveltejs/kit/types/helper").JSONValue} val
  */
-export function escape_json_value_in_html(str) {
-	return escape(
-		str,
-		escape_json_value_in_html_dict,
-		(code) => `\\u${code.toString(16).toUpperCase()}`
-	);
+export function escape_json_in_html(val) {
+	return JSON.stringify(val).replace(/[/><\u2028\u2029]/g, (match) => escape_json_in_html_dict[match]);
 }
 
 /**

From e72e1e46ee00c882ec42ced8e59a8b8f5e8bf36f Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Feb 2022 22:52:18 +0100
Subject: [PATCH 2/6] refactor: build regex from dict keys

---
 packages/kit/src/utils/escape.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/packages/kit/src/utils/escape.js b/packages/kit/src/utils/escape.js
index 8682969ba179..d55a81472352 100644
--- a/packages/kit/src/utils/escape.js
+++ b/packages/kit/src/utils/escape.js
@@ -1,5 +1,4 @@
 // dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
-// code licensed under the New BSD License.
 /** @type {Record<string, string>} */
 const escape_json_in_html_dict = {
 	'<'     : '\\u003C',
@@ -9,12 +8,14 @@ const escape_json_in_html_dict = {
 	'\u2029': '\\u2029'
 };
 
+const escape_json_in_html_regex = new RegExp(`[${Object.keys(escape_json_in_html_dict).join('')}]`,'g');
+
 /**
- * Escape a stringified JSON object that's going to be embedded in a `<script>` tag
+ * Escape a JSONValue that's going to be embedded in a `<script>` tag
  * @param {import("@sveltejs/kit/types/helper").JSONValue} val
  */
 export function escape_json_in_html(val) {
-	return JSON.stringify(val).replace(/[/><\u2028\u2029]/g, (match) => escape_json_in_html_dict[match]);
+	return JSON.stringify(val).replace(escape_json_in_html_regex, (match) => escape_json_in_html_dict[match]);
 }
 
 /**

From bd9e1140288676e548da789b5d211e7e7f41d057 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Feb 2022 23:21:29 +0100
Subject: [PATCH 3/6] chore: lint fixes

---
 .../kit/src/runtime/server/page/load_node.js     |  2 +-
 packages/kit/src/utils/escape.js                 | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/load_node.js b/packages/kit/src/runtime/server/page/load_node.js
index 014e743423e5..294995233648 100644
--- a/packages/kit/src/runtime/server/page/load_node.js
+++ b/packages/kit/src/runtime/server/page/load_node.js
@@ -1,7 +1,7 @@
 import { normalize } from '../../load.js';
 import { respond } from '../index.js';
 import { s } from '../../../utils/misc.js';
-import {escape_json_in_html} from '../../../utils/escape.js';
+import { escape_json_in_html } from '../../../utils/escape.js';
 import { is_root_relative, resolve } from '../../../utils/url.js';
 import { create_prerendering_url_proxy } from './utils.js';
 import { is_pojo } from '../utils.js';
diff --git a/packages/kit/src/utils/escape.js b/packages/kit/src/utils/escape.js
index d55a81472352..c15a798d6e73 100644
--- a/packages/kit/src/utils/escape.js
+++ b/packages/kit/src/utils/escape.js
@@ -1,21 +1,27 @@
 // dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
 /** @type {Record<string, string>} */
 const escape_json_in_html_dict = {
-	'<'     : '\\u003C',
-	'>'     : '\\u003E',
-	'/'     : '\\u002F',
+	'<': '\\u003C',
+	'>': '\\u003E',
+	'/': '\\u002F',
 	'\u2028': '\\u2028',
 	'\u2029': '\\u2029'
 };
 
-const escape_json_in_html_regex = new RegExp(`[${Object.keys(escape_json_in_html_dict).join('')}]`,'g');
+const escape_json_in_html_regex = new RegExp(
+	`[${Object.keys(escape_json_in_html_dict).join('')}]`,
+	'g'
+);
 
 /**
  * Escape a JSONValue that's going to be embedded in a `<script>` tag
  * @param {import("@sveltejs/kit/types/helper").JSONValue} val
  */
 export function escape_json_in_html(val) {
-	return JSON.stringify(val).replace(escape_json_in_html_regex, (match) => escape_json_in_html_dict[match]);
+	return JSON.stringify(val).replace(
+		escape_json_in_html_regex,
+		(match) => escape_json_in_html_dict[match]
+	);
 }
 
 /**

From f38e08fc8fea0dd6d058b96321e8bd2571eb1188 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Wed, 9 Feb 2022 23:28:25 +0100
Subject: [PATCH 4/6] chore: add changeset

---
 .changeset/metal-moons-provide.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/metal-moons-provide.md

diff --git a/.changeset/metal-moons-provide.md b/.changeset/metal-moons-provide.md
new file mode 100644
index 000000000000..1faeae6e6d3a
--- /dev/null
+++ b/.changeset/metal-moons-provide.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+refactor: use one escape function for json in html script body instead of two slightly different

From 2b397cce11475449735f486e25e8801ae150f233 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Thu, 10 Feb 2022 22:44:50 +0100
Subject: [PATCH 5/6] fix: make sure we only add status to json if it is a
 number

---
 packages/kit/src/runtime/server/page/load_node.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/load_node.js b/packages/kit/src/runtime/server/page/load_node.js
index 294995233648..f1732b76865a 100644
--- a/packages/kit/src/runtime/server/page/load_node.js
+++ b/packages/kit/src/runtime/server/page/load_node.js
@@ -253,11 +253,21 @@ export async function load_node({
 							}
 
 							if (!opts.body || typeof opts.body === 'string') {
+								// the json constructed below is later added to the dom in a script tag
+								// make sure the used values are safe
+								const statusNumber = Number(response.status);
+								if (isNaN(statusNumber)) {
+									throw new Error(
+										`response.status is not a number. value: "${
+											response.status
+										}" type: ${typeof response.status}`
+									);
+								}
 								// prettier-ignore
 								fetched.push({
 									url: requested,
 									body: /** @type {string} */ (opts.body),
-									json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
+									json: `{"status":${statusNumber},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
 								});
 							}
 

From 44c7e0690ba4103cc771b9b4222529455f1a75c7 Mon Sep 17 00:00:00 2001
From: dominikg <dominik.goepel@gmx.de>
Date: Fri, 11 Feb 2022 11:27:41 +0100
Subject: [PATCH 6/6] chore: fix formatting

---
 packages/kit/src/runtime/server/page/load_node.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/load_node.js b/packages/kit/src/runtime/server/page/load_node.js
index f1732b76865a..582da5477210 100644
--- a/packages/kit/src/runtime/server/page/load_node.js
+++ b/packages/kit/src/runtime/server/page/load_node.js
@@ -255,8 +255,8 @@ export async function load_node({
 							if (!opts.body || typeof opts.body === 'string') {
 								// the json constructed below is later added to the dom in a script tag
 								// make sure the used values are safe
-								const statusNumber = Number(response.status);
-								if (isNaN(statusNumber)) {
+								const status_number = Number(response.status);
+								if (isNaN(status_number)) {
 									throw new Error(
 										`response.status is not a number. value: "${
 											response.status
@@ -267,7 +267,7 @@ export async function load_node({
 								fetched.push({
 									url: requested,
 									body: /** @type {string} */ (opts.body),
-									json: `{"status":${statusNumber},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
+									json: `{"status":${status_number},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
 								});
 							}