Skip to content

Commit

Permalink
Revert "Revert "feat(server-islands): only encode ETAGO delimiter (#1…
Browse files Browse the repository at this point in the history
  • Loading branch information
florian-lefebvre authored Jan 21, 2025
1 parent 8911bda commit f576519
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 8 deletions.
5 changes: 5 additions & 0 deletions .changeset/fifty-socks-end.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'astro': patch
---

Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax
16 changes: 11 additions & 5 deletions packages/astro/src/runtime/server/render/server-islands.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,19 @@ export function containsServerDirective(props: Record<string | number, any>) {
return 'server:component-directive' in props;
}

const SCRIPT_RE = /<\/script/giu;
const COMMENT_RE = /<!--/gu;
const SCRIPT_REPLACER = '<\\/script';
const COMMENT_REPLACER = '\\u003C!--';

/**
* Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag.
* @see https://mathiasbynens.be/notes/etago
*/
function safeJsonStringify(obj: any) {
return JSON.stringify(obj)
.replace(/\u2028/g, '\\u2028')
.replace(/\u2029/g, '\\u2029')
.replace(/</g, '\\u003c')
.replace(/>/g, '\\u003e')
.replace(/\//g, '\\u002f');
.replace(SCRIPT_RE, SCRIPT_REPLACER)
.replace(COMMENT_RE, COMMENT_REPLACER);
}

function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
import Island from '../components/Island.astro';
---
<html>
<head>
<title>Testing</title>
</head>
<body>
<h1>Testing</h1>
<Island server:defer />
</body>
</html>
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
---
import Island from '../components/Island.astro';
const xssMe ="</script><script>alert('xss')</script><!--"
---
<html>
<head>
<title>Testing</title>
</head>
<body>
<h1>Testing</h1>
<Island server:defer />
<Island server:defer message={xssMe} />
</body>
</html>
11 changes: 9 additions & 2 deletions packages/astro/test/server-islands.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,13 @@ describe('Server islands', () => {
assert.equal(serverIslandEl.length, 0);
});

it('HTML escapes scripts', async () => {
const res = await fixture.fetch('/');
assert.equal(res.status, 200);
const html = await res.text();
assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false);
});

it('island is not indexed', async () => {
const res = await fixture.fetch('/_server-islands/Island', {
method: 'POST',
Expand All @@ -62,7 +69,7 @@ describe('Server islands', () => {
assert.equal(works, 'true', 'able to set header from server island');
});
it('omits empty props from the query string', async () => {
const res = await fixture.fetch('/');
const res = await fixture.fetch('/empty-props');
assert.equal(res.status, 200);
const html = await res.text();
const fetchMatch = html.match(/fetch\('\/_server-islands\/Island\?[^']*p=([^&']*)/);
Expand Down Expand Up @@ -135,7 +142,7 @@ describe('Server islands', () => {
});
it('omits empty props from the query string', async () => {
const app = await fixture.loadTestAdapterApp();
const request = new Request('http://example.com/');
const request = new Request('http://example.com/empty-props');
const response = await app.render(request);
assert.equal(response.status, 200);
const html = await response.text();
Expand Down

0 comments on commit f576519

Please sign in to comment.