Experimental switchLocalePathLinkSSR causing possible XSS vector

[KilianSSL]

Environment

• Operating System: Darwin
• Node Version: v20.11.1
• Nuxt Version: 3.10.1
• CLI Version: 3.12.0
• Nitro Version: 2.9.6
• Package Manager: [email protected]
• Builder: -
• User Config: site, debug, app, ssr, telemetry, devtools, sourcemap, modules, vite, nitro, runtimeConfig, i18n, hooks, graphqlMiddleware, multiCache, sitemap, robots, svgSprite, alias, purgecss, htmlValidator
• Runtime Modules: @nuxtjs/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @nuxtjs/[email protected], @pinia/[email protected], [email protected], [email protected], [email protected], @nuxt/test-utils/[email protected]
• Build Modules: -

Reproduction

Minimal Repro: https://github.com/KilianSSL/i18n-ssr-repro

Disable javascript, to best review the SSR response.

1. Set experimental switchLocalePathLinkSSR flag to true
2. Create a wildcard page like /pages/[...slug].vue
3. Make sure you have a language switcher utilizing <SwitchLocalePathLink>
4. Navigate to a page like: http://localhost:3000/fr/%22%3Exss/
5. If not manually overridden/sanitized via

setI18nParams({
  fr: { slug: '' },
  de: { slug: '' },
})  

the ">xss/ portion of the URL will cause <SwitchLocalePathLink> to output invalid HTML that will render whatever comes after ">xss/.

Describe the bug

The bug seems to be caused by <SwitchLocalePathLink> defaulting to the current URL parameters, if not set otherwise via setI18nParams. The parameters are not being sanitized before they're used in the generated HTML.

Additional context

No response

Logs

No response

[BobbieGoede]

This is problematic, thanks for reporting! I'll see if I can get this fixed soon and publish a patch release with it.