Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper escaping of HTML attribute when transformIndexHtml is used #18040

Closed
7 tasks done
jtbandes opened this issue Sep 5, 2024 · 1 comment · Fixed by #18067
Closed
7 tasks done

Improper escaping of HTML attribute when transformIndexHtml is used #18040

jtbandes opened this issue Sep 5, 2024 · 1 comment · Fixed by #18067
Labels
contribution welcome feat: html p3-minor-bug An edge case that only affects very specific usage (priority)

Comments

@jtbandes
Copy link

jtbandes commented Sep 5, 2024

Describe the bug

Vite plugins which implement the transformIndexHtml() function can choose to return an array, representing HTML tags to be added to the document. The attrs of these tags are improperly escaped and can lead to arbitrary HTML/scripts being injected into the index.html file.

The serializeAttrs function used by the built-in html plugin incorrectly escapes HTML attributes using JSON.stringify:

vite/packages/vite/src/node/plugins/html.ts

Line 1513 in 1a76300

res += ` ${key}=${JSON.stringify(attrs[key])}`

This code dates back to 4 years ago: 9ce2ab4#diff-89bae1df62862bb7f4a03d82a1e9cbf4ac6d0c042f21fbbacb0a2238bd050042R140

Reproduction

https://stackblitz.com/edit/vitejs-vite-swzvsz?file=vite.config.ts

Steps to reproduce

Using the following vite.config.ts:

import { defineConfig } from 'vite';

export default defineConfig({
  plugins: [
    {
      name: 'example',
      transformIndexHtml(_html, _ctx) {
        return [
          {
            tag: 'link',
            attrs: {
              rel: 'icon',
              href: `"><script>alert('hi from transformIndexHtml')</script>`,
            },
          },
        ];
      },
    },
  ],
});

The resulting index.html file now includes this:

<link rel="icon" href="\"><script>alert('hi from transformIndexHtml')</script>">

(The leading " was incorrectly escaped with \. One correct way to escape this in a HTML attribute would be &quot;.)

System Info

vite 5.4.3

Used Package Manager

npm

Logs

No response

Validations
@stackblitz StackBlitz
Copy link

stackblitz bot commented Sep 5, 2024

Fix this issue in StackBlitz Codeflow Start a new pull request in StackBlitz Codeflow.

@sapphi-red sapphi-red added contribution welcome feat: html p3-minor-bug An edge case that only affects very specific usage (priority) labels Sep 10, 2024
@sunnylost sunnylost mentioned this issue Sep 10, 2024
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Sep 26, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
contribution welcome feat: html p3-minor-bug An edge case that only affects very specific usage (priority)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(html): escape html attribute sunnylost/vite
2 participants
@jtbandes @sapphi-red