search

withastro / astro

The web framework for content-driven websites. ⭐️ Star to support our work!
https://astro.build
Other
45.36k stars 2.37k forks source link

Astro component with `?raw` suffix should not be executed #11502

Closed erwinheldy closed 1 month ago

erwinheldy commented 1 month ago

Astro Info

Astro                    v4.12.1
Node                     v18.20.3
System                   Linux (x64)
Package Manager          npm
Output                   static
Adapter                  none
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

Because Astro components with the suffix ?raw are strings, the string should not be executed, even if there is a script tag within it.

For example I have Hello.astro component:

<h1>Hello world</h1>
<script>alert("Hello world")</script>

Now I import it using ?raw:

---
import { Code } from 'astro:components'
import Hello from '../components/Hello.astro?raw';
---

<Code code={Hello} lang="html" />

Results: image

What's the expected result?

The string should not be executed.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-dznkn1?file=src%2Fpages%2Findex.astro

Participation

Fryuni commented 1 month ago

This one is related to https://github.com/withastro/astro/pull/11478 where we make it so the code doesn't get transformed when one of Vite's magic queries is present.

In those cases, the script and styles should not propagate to the parent.