From 5983f366d499f74d473097154bbbcc8e51476dc4 Mon Sep 17 00:00:00 2001 From: sunnylost Date: Tue, 10 Sep 2024 19:45:39 +0800 Subject: [PATCH] fix(html): escape html attribute (#18067) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: 翠 / green --- packages/vite/src/node/plugins/html.ts | 3 ++- playground/html/__tests__/html.spec.ts | 5 +++++ playground/html/vite.config.js | 17 +++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts index c056752ea6326d..8b7908a0d288bc 100644 --- a/packages/vite/src/node/plugins/html.ts +++ b/packages/vite/src/node/plugins/html.ts @@ -10,6 +10,7 @@ import MagicString from 'magic-string' import colors from 'picocolors' import type { DefaultTreeAdapterMap, ParserError, Token } from 'parse5' import { stripLiteral } from 'strip-literal' +import escapeHtml from 'escape-html' import type { Plugin } from '../plugin' import type { ViteDevServer } from '../server' import { @@ -1510,7 +1511,7 @@ function serializeAttrs(attrs: HtmlTagDescriptor['attrs']): string { if (typeof attrs[key] === 'boolean') { res += attrs[key] ? ` ${key}` : `` } else { - res += ` ${key}=${JSON.stringify(attrs[key])}` + res += ` ${key}="${escapeHtml(attrs[key])}"` } } return res diff --git a/playground/html/__tests__/html.spec.ts b/playground/html/__tests__/html.spec.ts index b3b8582d9a14e1..1d419346a5ef0e 100644 --- a/playground/html/__tests__/html.spec.ts +++ b/playground/html/__tests__/html.spec.ts @@ -471,3 +471,8 @@ test('html fallback works non browser accept header', async () => { ).status, ).toBe(200) }) + +test('escape html attribute', async () => { + const el = await page.$('.unescape-div') + expect(el).toBeNull() +}) diff --git a/playground/html/vite.config.js b/playground/html/vite.config.js index f8c14eef4ca402..cc3f6ba3a4ef34 100644 --- a/playground/html/vite.config.js +++ b/playground/html/vite.config.js @@ -214,5 +214,22 @@ ${ ] }, }, + { + name: 'escape-html-attribute', + transformIndexHtml: { + order: 'post', + handler() { + return [ + { + tag: 'link', + attrs: { + href: `">
extra content
`, + }, + injectTo: 'body', + }, + ] + }, + }, + }, ], })