Prerender: HTML textContent of <script type="wmrdata"> is not escaped

preactjs / wmr

👩‍🚀 The tiny all-in-one development tool for modern web apps.

https://wmr.dev/

MIT License

4.92k stars 109 forks source link

Prerender: HTML textContent of <script type="wmrdata"> is not escaped #911

Closed danielweck closed 2 years ago

danielweck commented 2 years ago

When the result.data object contains strings with < or > or & non-escaped characters, this trips the HTML parser:

https://github.com/preactjs/wmr/blob/11663db6104171bcebd434ad4443e1fcb3dcea68/packages/wmr/src/lib/prerender.js#L182

Suggestion, use the existing enc() function?

https://github.com/preactjs/wmr/blob/11663db6104171bcebd434ad4443e1fcb3dcea68/packages/wmr/src/lib/prerender.js#L55-L57

danielweck commented 2 years ago

I am retracing this issue. According to my tests in Safari and Firefox (MacOS), my <script type="text/javascript">...</script> markup generated by serializeElement() via result.head.elements doesn't seem to mind <, > or &, in Javascript code or in string literals. I assume the same for <script type="wmrdata">...</script>.

https://github.com/preactjs/wmr/blob/11663db6104171bcebd434ad4443e1fcb3dcea68/packages/wmr/src/lib/prerender.js#L113-L134