fix: check innerHTML is a string when applying XSS fixes

harlan-zw · harlan-zw · commit dbb5581193be · 2023-11-22T02:11:42.000+11:00
Relates to nuxt/nuxt#24388, nuxt-modules/fontaine#350, #278
diff --git a/packages/unhead/src/plugins/xss.ts b/packages/unhead/src/plugins/xss.ts
@@ -4,7 +4,7 @@ export default defineHeadPlugin({
   hooks: {
     'tags:afterResolve': function (ctx) {
       for (const tag of ctx.tags) {
-        if (tag.innerHTML) {
+        if (typeof tag.innerHTML === 'string') {
           if (tag.innerHTML && ['application/ld+json', 'application/json'].includes(tag.props.type))
           // ensure </script> tags get encoded, this is only for JSON, it will break HTML if used
           { tag.innerHTML = tag.innerHTML.replace(/</g, '\\u003C') }
@@ -15,6 +15,7 @@ export default defineHeadPlugin({
               .replace(new RegExp(`</${tag.tag}`, 'g'), `<\\/${tag.tag}`)
           }
         }
+        // TODO delete innerHTML otherwise
       }
     },
   },

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ export default defineHeadPlugin({`
`4`	`4`	`hooks: {`
`5`	`5`	`'tags:afterResolve': function (ctx) {`
`6`	`6`	`for (const tag of ctx.tags) {`
`7`		`- if (tag.innerHTML) {`
	`7`	`+ if (typeof tag.innerHTML === 'string') {`
`8`	`8`	`if (tag.innerHTML && ['application/ld+json', 'application/json'].includes(tag.props.type))`
`9`	`9`	`// ensure </script> tags get encoded, this is only for JSON, it will break HTML if used`
`10`	`10`	`{ tag.innerHTML = tag.innerHTML.replace(/</g, '\\u003C') }`
`@@ -15,6 +15,7 @@ export default defineHeadPlugin({`
`15`	`15`	.replace(new RegExp(`</${tag.tag}`, 'g'), `<\\/${tag.tag}`)
`16`	`16`	`}`
`17`	`17`	`}`
	`18`	`+ // TODO delete innerHTML otherwise`
`18`	`19`	`}`
`19`	`20`	`},`
`20`	`21`	`},`