Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Commit 1830b31

Browse files
arve0arve0
committed
safe replacement, do not eval string-concat in handle_page-context
1 parent 04a77a7 commit 1830b31

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

runtime/src/server/middleware/get_page_handler.ts

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -319,11 +319,11 @@ export function get_page_handler(
319319

320320
let replacers: PageContentReducer[] = res.replacers || [];
321321
replacers = replacers.concat([
322-
(ctx) => (ctx.body = ctx.body.replace('%sapper.base%', `<base href="${ctx.baseUrl}/">`), ctx),
323-
(ctx) => (ctx.body = ctx.body.replace('%sapper.head%', `<noscript id='sapper-head-start'></noscript>${ctx.head}<noscript id='sapper-head-end'></noscript>`), ctx),
324-
(ctx) => (ctx.body = ctx.body.replace('%sapper.styles%', ctx.styles), ctx),
325-
(ctx) => (ctx.body = ctx.body.replace('%sapper.html%', ctx.html), ctx),
326-
(ctx) => (ctx.body = ctx.body.replace('%sapper.scripts%', `<script${ctx.nonce_attr}>${ctx.script}</script>`), ctx),
322+
(ctx) => (ctx.body = ctx.body.replace('%sapper.base%', () => `<base href="${ctx.baseUrl}/">`), ctx),
323+
(ctx) => (ctx.body = ctx.body.replace('%sapper.head%', () => `<noscript id='sapper-head-start'></noscript>${ctx.head}<noscript id='sapper-head-end'></noscript>`), ctx),
324+
(ctx) => (ctx.body = ctx.body.replace('%sapper.styles%', () => ctx.styles), ctx),
325+
(ctx) => (ctx.body = ctx.body.replace('%sapper.html%', () => ctx.html), ctx),
326+
(ctx) => (ctx.body = ctx.body.replace('%sapper.scripts%', () => `<script${ctx.nonceAttr}>${ctx.script}</script>`), ctx),
327327
]);
328328

329329
const pageContent = replacers.reduce((ctx: PageContent, replace: PageContentReducer) => replace(ctx),

0 commit comments

Comments
 (0)