From 74acf93c7a8a355ab0570476025df22e7a3ec2bd Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Sat, 14 Jul 2018 20:56:05 -0400
Subject: [PATCH 1/2] prevent unsafe replacements of preloaded data etc

---
 src/middleware.ts                       | 10 +++++-----
 test/app/routes/unsafe-replacement.html |  9 +++++++++
 test/common/test.js                     | 10 ++++++++++
 3 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 test/app/routes/unsafe-replacement.html

diff --git a/src/middleware.ts b/src/middleware.ts
index 44c2b50..79e4950 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -360,11 +360,11 @@ function get_page_handler(App: Component, routes: RouteObject[], store_getter: (
 			}
 
 			const page = template()
-				.replace('%sapper.base%', `<base href="${req.baseUrl}/">`)
-				.replace('%sapper.scripts%', `<script>${inline_script}</script>${scripts}`)
-				.replace('%sapper.html%', html)
-				.replace('%sapper.head%', `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
-				.replace('%sapper.styles%', (css && css.code ? `<style>${css.code}</style>` : ''));
+				.replace('%sapper.base%', () => `<base href="${req.baseUrl}/">`)
+				.replace('%sapper.scripts%', () => `<script>${inline_script}</script>${scripts}`)
+				.replace('%sapper.html%', () => html)
+				.replace('%sapper.head%', () => `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
+				.replace('%sapper.styles%', () => (css && css.code ? `<style>${css.code}</style>` : ''));
 
 			res.statusCode = status;
 			res.end(page);
diff --git a/test/app/routes/unsafe-replacement.html b/test/app/routes/unsafe-replacement.html
new file mode 100644
index 0000000..98c654f
--- /dev/null
+++ b/test/app/routes/unsafe-replacement.html
@@ -0,0 +1,9 @@
+$&
+
+<script>
+	export default {
+		preload() {
+			return '$&';
+		}
+	};
+</script>
\ No newline at end of file
diff --git a/test/common/test.js b/test/common/test.js
index 79751e7..84fb55e 100644
--- a/test/common/test.js
+++ b/test/common/test.js
@@ -619,6 +619,16 @@ function run({ mode, basepath = '' }) {
 						assert.equal(name, 'BODY');
 					});
 			});
+
+			it('replaces %sapper.xxx% tags safely', () => {
+				return nightmare
+					.goto(`${base}/unsafe-replacement`)
+					.init()
+					.page.html()
+					.then(html => {
+						assert.equal(html.indexOf('%sapper'), -1);
+					});
+			});
 		});
 
 		describe('headers', () => {

From b75ae7ba9662d3c4adb4f91d32e8510baf07336e Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Sat, 14 Jul 2018 21:05:39 -0400
Subject: [PATCH 2/2] -> v0.14.2

---
 CHANGELOG.md | 4 ++++
 package.json | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0403ed4..55d2819 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # sapper changelog
 
+## 0.14.2
+
+* Prevent unsafe replacements ([#307](https://github.com/sveltejs/sapper/pull/307))
+
 ## 0.14.1
 
 * Route parameters can be qualified with regex characters ([#283](https://github.com/sveltejs/sapper/pull/283))
diff --git a/package.json b/package.json
index f23a3c3..8a8b7a6 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sapper",
-  "version": "0.14.1",
+  "version": "0.14.2",
   "description": "Military-grade apps, engineered by Svelte",
   "main": "dist/middleware.ts.js",
   "bin": {