Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Commit

Permalink
Merge pull request #307 from sveltejs/unsafe-replacements
Browse files Browse the repository at this point in the history
prevent unsafe replacements of preloaded data etc
  • Loading branch information
Rich-Harris authored Jul 15, 2018
2 parents 0e37753 + 74acf93 commit 091e380
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 5 deletions.
10 changes: 5 additions & 5 deletions src/middleware.ts
Original file line number Diff line number Diff line change
Expand Up @@ -360,11 +360,11 @@ function get_page_handler(App: Component, routes: RouteObject[], store_getter: (
}

const page = template()
.replace('%sapper.base%', `<base href="${req.baseUrl}/">`)
.replace('%sapper.scripts%', `<script>${inline_script}</script>${scripts}`)
.replace('%sapper.html%', html)
.replace('%sapper.head%', `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
.replace('%sapper.styles%', (css && css.code ? `<style>${css.code}</style>` : ''));
.replace('%sapper.base%', () => `<base href="${req.baseUrl}/">`)
.replace('%sapper.scripts%', () => `<script>${inline_script}</script>${scripts}`)
.replace('%sapper.html%', () => html)
.replace('%sapper.head%', () => `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
.replace('%sapper.styles%', () => (css && css.code ? `<style>${css.code}</style>` : ''));

res.statusCode = status;
res.end(page);
Expand Down
9 changes: 9 additions & 0 deletions test/app/routes/unsafe-replacement.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
$&

<script>
export default {
preload() {
return '$&';
}
};
</script>
10 changes: 10 additions & 0 deletions test/common/test.js
Original file line number Diff line number Diff line change
Expand Up @@ -619,6 +619,16 @@ function run({ mode, basepath = '' }) {
assert.equal(name, 'BODY');
});
});

it('replaces %sapper.xxx% tags safely', () => {
return nightmare
.goto(`${base}/unsafe-replacement`)
.init()
.page.html()
.then(html => {
assert.equal(html.indexOf('%sapper'), -1);
});
});
});

describe('headers', () => {
Expand Down

0 comments on commit 091e380

Please sign in to comment.