Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with new entity escaping behavior #1082

Closed
Conduitry opened this issue Jan 7, 2018 · 5 comments
Closed

Issues with new entity escaping behavior #1082

Conduitry opened this issue Jan 7, 2018 · 5 comments
Labels
bug

Comments

@Conduitry
Copy link
Member

The new entity escaping in 1.51 introduced a couple of issues:

  • Compiling <div>'foo'<bar/></div> results in code that renders &##39;foo&##39;. There's obviously something going on with the sigil escaping here. Either it never gets unescaped, or it's getting escaped an additional time before getting unescaped.

  • Non-top-level <style> and <script> elements (which are useful when using SSR to render an entire document) are rendered back into the document with entities escaped, which breaks a bunch of stuff.

Also an existing problem from before 1.51: Non-top-level <style> and <script> elements are parsed as though they were HTML. So e.g. something like <div><script>alert('<>')</script></div> results in a parse error because Svelte is expecting a tag name in the <>. The parser should consume until the </script> when inside a <script> tag, even if it is not a top-level one.
@Conduitry
Copy link
Member Author

Also, relatedly, I think the new escapeHTML function should probably only escape &, <, and >. It's only being used to escape strings that appear as text nodes, not attributes. I think this would eliminate the first issue (since the entity for ' is the only one affected by sigil escaping), but we should still look into exactly what's happening there and address it.

@Conduitry Conduitry added the bug label Jan 7, 2018
@Conduitry Conduitry mentioned this issue Jan 8, 2018
Merged
Rich-Harris added a commit that referenced this issue Jan 9, 2018
@Rich-Harris
failing test for #1082
26bc1f3
Rich-Harris added a commit that referenced this issue Jan 9, 2018
@Rich-Harris
Merge pull request #1086 from sveltejs/gh-1082
8d04da6 
[WIP] Fix HTML escaping and non-top-level <script> and <style> issues
Rich-Harris added a commit that referenced this issue Jan 9, 2018
@Rich-Harris
Merge branch 'master' into gh-1082-script-style-test
7193109
@arxpoetica
Copy link
Member

See: https://svelte.technology/repl?version=1.51.0&gist=2fabbd64d03708d6e536811387a87d5a

@TehShrike
Copy link
Member

Only seems to happen if the characters are inside an element that isn't at the top level: https://svelte.technology/repl?version=1.51.0&gist=637056dfca497eb872db02ca231ef89d

TehShrike added a commit to KayserCommentaryOrg/revelation-project that referenced this issue Jan 10, 2018
@TehShrike
Downgrade svelte
c5d3455 
Waiting until sveltejs/svelte#1082 is fixed
@Conduitry
Copy link
Member Author

Yeah that issue is one of the ones fixed by my PR, which has been merged and will be in the next version.

@Rich-Harris
Copy link
Member

Just released the fix — closing

@Conduitry Conduitry mentioned this issue Jan 11, 2018
Merged
Rich-Harris added a commit that referenced this issue Jan 13, 2018
@Rich-Harris
Merge pull request #1097 from sveltejs/gh-1082-b
8057884 
fix escaping of sigils in SSR non-top-level <script> and <style>
@Conduitry Conduitry mentioned this issue Feb 3, 2018
Closed
Conduitry added a commit that referenced this issue Feb 8, 2018
@Conduitry
Merge branch 'gh-1147' into gh-1082-script-style-test
4b4737a
Conduitry pushed a commit that referenced this issue Feb 8, 2018
@Rich-Harris @Conduitry
failing test for #1082
1719a31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arxpoetica @TehShrike @Rich-Harris @Conduitry