From 331b2c2f1eabb1df0de81427ff2edb7f8cd45d62 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:09:09 -0800 Subject: [PATCH] fix: escape values included in dev 404 page --- .changeset/five-maps-yawn.md | 5 +++++ packages/kit/src/exports/vite/utils.js | 11 +++++++++-- packages/kit/src/utils/escape.js | 27 ++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 .changeset/five-maps-yawn.md diff --git a/.changeset/five-maps-yawn.md b/.changeset/five-maps-yawn.md new file mode 100644 index 000000000000..b4df5751e4f9 --- /dev/null +++ b/.changeset/five-maps-yawn.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +fix: escape values included in dev 404 page diff --git a/packages/kit/src/exports/vite/utils.js b/packages/kit/src/exports/vite/utils.js index aaa33971bede..88912dcc8529 100644 --- a/packages/kit/src/exports/vite/utils.js +++ b/packages/kit/src/exports/vite/utils.js @@ -3,6 +3,7 @@ import { loadEnv } from 'vite'; import { posixify } from '../../utils/filesystem.js'; import { negotiate } from '../../utils/http.js'; import { filter_private_env, filter_public_env } from '../../utils/env.js'; +import { escape_html, escape_html_attr } from '../../utils/escape.js'; /** * Transforms kit.alias to a valid vite.resolve.alias array. @@ -89,11 +90,17 @@ export function not_found(req, res, base) { if (type === 'text/html') { res.setHeader('Content-Type', 'text/html'); res.end( - `The server is configured with a public base URL of ${base} - did you mean to visit ${prefixed} instead?` + `The server is configured with a public base URL of ${escape_html( + base + )} - did you mean to visit ${escape_html( + prefixed + )} instead?` ); } else { res.end( - `The server is configured with a public base URL of ${base} - did you mean to visit ${prefixed} instead?` + `The server is configured with a public base URL of ${escape_html( + base + )} - did you mean to visit ${escape_html(prefixed)} instead?` ); } } diff --git a/packages/kit/src/utils/escape.js b/packages/kit/src/utils/escape.js index 543e1a13c0a5..ffc4d8c4de2a 100644 --- a/packages/kit/src/utils/escape.js +++ b/packages/kit/src/utils/escape.js @@ -44,3 +44,30 @@ export function escape_html_attr(str) { return `"${escaped_str}"`; } + +const ATTR_REGEX = /[&"<]/g; +const CONTENT_REGEX = /[&<]/g; + +/** + * @template V + * @param {V} value + * @param {boolean} [is_attr] + */ +export function escape_html(value, is_attr) { + const str = String(value ?? ''); + + const pattern = is_attr ? ATTR_REGEX : CONTENT_REGEX; + pattern.lastIndex = 0; + + let escaped = ''; + let last = 0; + + while (pattern.test(str)) { + const i = pattern.lastIndex - 1; + const ch = str[i]; + escaped += str.substring(last, i) + (ch === '&' ? '&' : ch === '"' ? '"' : '<'); + last = i + 1; + } + + return escaped + str.substring(last); +}