mirror of
https://github.com/kevin-DL/sapper.git
synced 2026-01-22 07:05:24 +00:00
Merge branch 'master' into gh-262
This commit is contained in:
Rich Harris
@@ -1,5 +1,9 @@
|
|||||||
# sapper changelog
|
# sapper changelog
|
||||||
|
|
||||||
|
## 0.14.2
|
||||||
|
|
||||||
|
* Prevent unsafe replacements ([#307](https://github.com/sveltejs/sapper/pull/307))
|
||||||
|
|
||||||
## 0.14.1
|
## 0.14.1
|
||||||
|
|
||||||
* Route parameters can be qualified with regex characters ([#283](https://github.com/sveltejs/sapper/pull/283))
|
* Route parameters can be qualified with regex characters ([#283](https://github.com/sveltejs/sapper/pull/283))
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "sapper",
|
"name": "sapper",
|
||||||
"version": "0.14.1",
|
"version": "0.14.2",
|
||||||
"description": "Military-grade apps, engineered by Svelte",
|
"description": "Military-grade apps, engineered by Svelte",
|
||||||
"main": "dist/middleware.ts.js",
|
"main": "dist/middleware.ts.js",
|
||||||
"bin": {
|
"bin": {
|
||||||
|
|||||||
@@ -355,11 +355,11 @@ function get_page_handler(routes: RouteObject[], store_getter: (req: Req) => Sto
|
|||||||
}
|
}
|
||||||
|
|
||||||
const page = template()
|
const page = template()
|
||||||
.replace('%sapper.base%', `<base href="${req.baseUrl}/">`)
|
.replace('%sapper.base%', () => `<base href="${req.baseUrl}/">`)
|
||||||
.replace('%sapper.scripts%', `<script>${inline_script}</script>${scripts}`)
|
.replace('%sapper.scripts%', () => `<script>${inline_script}</script>${scripts}`)
|
||||||
.replace('%sapper.html%', html)
|
.replace('%sapper.html%', () => html)
|
||||||
.replace('%sapper.head%', `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
|
.replace('%sapper.head%', () => `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
|
||||||
.replace('%sapper.styles%', (css && css.code ? `<style>${css.code}</style>` : ''));
|
.replace('%sapper.styles%', () => (css && css.code ? `<style>${css.code}</style>` : ''));
|
||||||
|
|
||||||
res.statusCode = status;
|
res.statusCode = status;
|
||||||
res.end(page);
|
res.end(page);
|
||||||
|
|||||||
9
test/app/routes/unsafe-replacement.html
Normal file
9
test/app/routes/unsafe-replacement.html
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
$&
|
||||||
|
|
||||||
|
<script>
|
||||||
|
export default {
|
||||||
|
preload() {
|
||||||
|
return '$&';
|
||||||
|
}
|
||||||
|
};
|
||||||
|
</script>
|
||||||
@@ -619,6 +619,16 @@ function run({ mode, basepath = '' }) {
|
|||||||
assert.equal(name, 'BODY');
|
assert.equal(name, 'BODY');
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('replaces %sapper.xxx% tags safely', () => {
|
||||||
|
return nightmare
|
||||||
|
.goto(`${base}/unsafe-replacement`)
|
||||||
|
.init()
|
||||||
|
.page.html()
|
||||||
|
.then(html => {
|
||||||
|
assert.equal(html.indexOf('%sapper'), -1);
|
||||||
|
});
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('headers', () => {
|
describe('headers', () => {
|
||||||
|
|||||||
Reference in New Issue
Block a user