Fix escaping/unescaping of text and attributes in SSR #747
Conversation
Rich-Harris
changed the title
|
Alright, hopefully this is fixed once and for all! @Conduitry would appreciate a once-over if you get a chance, you seem to have a knack for these bugs... |
src/utils/stringify.ts
Outdated
| @@ -1,3 +1,7 @@ | |||
| export default function stringify(data: string) { | |||
| export function stringify(data: string) { | |||
| return JSON.stringify(data.replace(/([^\\@#])?([@#])/g, '$1\\$2')); | |||
There was a problem hiding this comment.
stringify should probably call escape instead of having its own copy of the regex.
There was a problem hiding this comment.
good catch! for a brief moment while I was bashing my head against a wall they had different regexes, hence the (now unnecessary) duplication. fixed
| @@ -178,7 +178,12 @@ export default function ssr( | |||
| function __escape ( html ) { | |||
| return String( html ).replace( /["'&<>]/g, match => escaped[ match ] ); | |||
| } | |||
| `.replace(/(\\)?@(\w*)/g, (match: string, escaped: string, name: string) => escaped ? match.slice(1) : generator.alias(name)); | |||
| `.replace(/(\\)?([@#])(\w*)/g, (match: string, escaped: string, sigil: string, name: string) => { | |||
There was a problem hiding this comment.
I see similar (but not identical) code to this in the DOM generator, but I'm not entirely sure what it all does. Have all #-sigiled identifiers already been replaced, because we're at the top level?
There was a problem hiding this comment.
There are no #-sigiled identifiers in SSR code, because that means 'create a unique name inside this block', and there are no 'blocks' to speak of (because everything is inline). But because it uses the same escape helper, # characters are escaped anyway, and therefore need to be unescaped. A bit circuitous, admittedly
Fixes #741