Vite plugins which implement the transformIndexHtml() function can choose to return an array, representing HTML tags to be added to the document. The attrs of these tags are improperly escaped and can lead to arbitrary HTML/scripts being injected into the index.html file.
[X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
[X] Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
Describe the bug
Vite plugins which implement the
transformIndexHtml()
function can choose to return an array, representing HTML tags to be added to the document. Theattrs
of these tags are improperly escaped and can lead to arbitrary HTML/scripts being injected into the index.html file.The
serializeAttrs
function used by the built-inhtml
plugin incorrectly escapes HTML attributes usingJSON.stringify
: https://github.com/vitejs/vite/blob/1a76300cd16827f0640924fdc21747ce140c35fb/packages/vite/src/node/plugins/html.ts#L1513This code dates back to 4 years ago: https://github.com/vitejs/vite/commit/9ce2ab4febfb110b03760a2494546d683097189c#diff-89bae1df62862bb7f4a03d82a1e9cbf4ac6d0c042f21fbbacb0a2238bd050042R140
Reproduction
https://stackblitz.com/edit/vitejs-vite-swzvsz?file=vite.config.ts
Steps to reproduce
Using the following
vite.config.ts
:The resulting index.html file now includes this:
(The leading
"
was incorrectly escaped with\
. One correct way to escape this in a HTML attribute would be"
.)System Info
Used Package Manager
npm
Logs
No response
Validations