Skip to content

Commit

Permalink
Merge pull request #1086 from sveltejs/gh-1082
Browse files Browse the repository at this point in the history 
[WIP] Fix HTML escaping and non-top-level <script> and <style> issues
  • Loading branch information
@Rich-Harris
Rich-Harris committed Jan 9, 2018
2 parents dbe8105 + f6e6cb6 commit 8d04da6
Show file tree
Hide file tree
Showing 7 changed files with 23 additions and 8 deletions.
6 changes: 5 additions & 1 deletion src/generators/nodes/Element.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,10 @@ export default class Element extends Node {

if (isVoidElementName(node.name)) return open + '>';

if (node.name === 'script' || node.name === 'style') {
return `${open}>${node.data}</${node.name}>`;
}

return `${open}>${node.children.map(toHTML).join('')}</${node.name}>`;
}
}
Expand Down Expand Up @@ -756,4 +760,4 @@ const events = [
node.isMediaNode() &&
(name === 'buffered' || name === 'seekable')
}
];
];
2 changes: 2 additions & 0 deletions src/generators/server-side-rendering/visitors/Element.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ export default function visitElement(

if (node.name === 'textarea' && textareaContents !== undefined) {
generator.append(textareaContents);
} else if (node.name === 'script' || node.name === 'style') {
generator.append(node.data);
} else {
node.children.forEach((child: Node) => {
visit(generator, block, child);
Expand Down
7 changes: 6 additions & 1 deletion src/parse/state/tag.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@ export default function tag(parser: Parser) {
parser.eat('>', true);

if (selfClosing) {
// don't push self-closing elements onto the stack
element.end = parser.index;
} else if (name === 'textarea') {
// special case
Expand All @@ -223,8 +224,12 @@ export default function tag(parser: Parser) {
);
parser.read(/<\/textarea>/);
element.end = parser.index;
} else if (name === 'script' || name === 'style') {
// special case
element.data = parser.readUntil(new RegExp(`</${name}>`));
parser.eat(`</${name}>`, true);
element.end = parser.index;
} else {
// don't push self-closing elements onto the stack
parser.stack.push(element);
}
}
Expand Down
8 changes: 3 additions & 5 deletions src/utils/stringify.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,11 @@ export function escape(data: string, { onlyEscapeAtSymbol = false } = {}) {
}

const escaped = {
'"': '&quot;',
"'": '&##39;',
'&': '&amp;',
'<': '&lt;',
'>': '&gt;'
'>': '&gt;',
};

export function escapeHTML(html) {
return String(html).replace(/["'&<>]/g, match => escaped[match]);
}
return String(html).replace(/[&<>]/g, match => escaped[match]);
}
5 changes: 5 additions & 0 deletions test/runtime/samples/html-non-entities-inside-elements/_config.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
export default {
html: `
<div>'foo'<span/></div>
`
};
1 change: 1 addition & 0 deletions test/runtime/samples/html-non-entities-inside-elements/main.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<div>'foo'<span/></div>
2 changes: 1 addition & 1 deletion test/server-side-rendering/samples/component-data-empty/_actual.html
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
<div>
<p>foo: &#39;&#39;</p>
<p>foo: ''</p>
</div>

0 comments on commit 8d04da6

Please sign in to comment.