prevent unsafe replacements of preloaded data etc

2026-01-18 21:45:12 +00:00 · 2018-07-14 20:56:05 -04:00
parent 0e3775397f
commit 74acf93c7a
3 changed files with 24 additions and 5 deletions
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -360,11 +360,11 @@ function get_page_handler(App: Component, routes: RouteObject[], store_getter: (
 			}
 			const page = template()
-				.replace('%sapper.base%', `<base href="${req.baseUrl}/">`)
+				.replace('%sapper.base%', () => `<base href="${req.baseUrl}/">`)
-				.replace('%sapper.scripts%', `<script>${inline_script}</script>${scripts}`)
+				.replace('%sapper.scripts%', () => `<script>${inline_script}</script>${scripts}`)
-				.replace('%sapper.html%', html)
+				.replace('%sapper.html%', () => html)
-				.replace('%sapper.head%', `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
+				.replace('%sapper.head%', () => `<noscript id='sapper-head-start'></noscript>${head}<noscript id='sapper-head-end'></noscript>`)
-				.replace('%sapper.styles%', (css && css.code ? `<style>${css.code}</style>` : ''));
+				.replace('%sapper.styles%', () => (css && css.code ? `<style>${css.code}</style>` : ''));
 			res.statusCode = status;
 			res.end(page);
--- a/test/app/routes/unsafe-replacement.html
+++ b/test/app/routes/unsafe-replacement.html
@@ -0,0 +1,9 @@
 $&
 <script>
 	export default {
 		preload() {
 			return '$&';
 		}
 	};
 </script>
--- a/test/common/test.js
+++ b/test/common/test.js
@@ -619,6 +619,16 @@ function run({ mode, basepath = '' }) {
 						assert.equal(name, 'BODY');
 					});
 			});
 			it('replaces %sapper.xxx% tags safely', () => {
 				return nightmare
 					.goto(`${base}/unsafe-replacement`)
 					.init()
 					.page.html()
 					.then(html => {
 						assert.equal(html.indexOf('%sapper'), -1);
 					});
 			});
 		});
 		describe('headers', () => {