Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unescaped script tags strings in injected code #6226

Closed
hville opened this issue May 3, 2021 · 2 comments · Fixed by #6589
Closed

unescaped script tags strings in injected code #6226

hville opened this issue May 3, 2021 · 2 comments · Fixed by #6589
Labels
🐛 Bug ✨ Parcel 2
Milestone
v2.0.0-rc.0

Comments

@hville
Copy link

hville commented May 3, 2021

🐛 bug report

Inline code injection into html pages can insert unescaped html tags (first mentioned in #6213) .
Javascript strings containing html code need to be escaped before html injection

💻 Code Sample AND Current Behavior

//source module.js
export const tag = `<script></script>`
//source index.html
<script type=module>import {tag} from './module.js'</script>
//served bundled index.html
<script type=module>const tag = `<script></script>`</script>

🎛 Configuration (.babelrc, package.json, cli command)

no configuration file used

🌍 Your Environment

Software Version(s)
Parcel 2.0.0-beta.2
Node v15.8.0
@mischnic
Copy link
Member

mischnic commented May 3, 2021
edited
Loading

The replacement happens here:

parcel/packages/packagers/html/src/HTMLPackager.js

Lines 127 to 138 in a67a5f0

let newContent = await getAssetContent(
bundleGraph,
getInlineBundleContents,
node.attrs['data-parcel-key'],
);
if (newContent != null) {
let {contents, bundle} = newContent;
node.content = (contents instanceof Readable
? await bufferStream(contents)
: contents
).toString();

We "just" need to escape </ in that string. (Though I'm not sure yet how)

@devongovett
Copy link
Member

This was the best answer I found: https://stackoverflow.com/a/23983448. Basically replace '</script' with '</scr\ipt'.

@devongovett devongovett added this to the v2.0.0-rc.0 milestone Jul 10, 2021
@devongovett devongovett mentioned this issue Jul 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug ✨ Parcel 2
Projects
None yet
Milestone
v2.0.0-rc.0
Development

Successfully merging a pull request may close this issue.

HTML escaping and URL encoding bugs parcel-bundler/parcel
3 participants
@devongovett @hville @mischnic