Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: escape < in attribute strings #12989

Merged
merged 5 commits into from
Aug 23, 2024
Merged

fix: escape < in attribute strings #12989

merged 5 commits into from
Aug 23, 2024
+59 −38

Conversation

dummdidumm
Copy link
Member

Svelte 4 version of #11411

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests and linting

  • Run the tests with pnpm test and lint the project with pnpm lint

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Aug 23, 2024
edited
Loading

🦋 Changeset detected

Latest commit: fb22bd9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dummdidumm dummdidumm merged commit 83e96e0 into svelte-4 Aug 23, 2024
8 checks passed
@dummdidumm dummdidumm deleted the escape-attr branch August 23, 2024 16:08
@github-actions github-actions bot mentioned this pull request Aug 23, 2024
Merged
@Pierrci
Copy link

Pierrci commented Aug 30, 2024

Is there any chance this could be backported to Svelte 3, too? 😅

@Uzume
Copy link

Uzume commented Sep 15, 2024
edited
Loading

It seems like this issue was introduced in #5701. This is a great example of both performance sensitive and security sensitive code.

It seems like #8434 is no longer needed as this PR (re)introduces < always being HTML entity escaped in attributes.

This was referenced Sep 15, 2024
Closed
Merged
@ovx ovx mentioned this pull request Oct 10, 2024
Open
@escapedcat
Copy link

💁‍♂️ Just a heads up
This is changing an & into &amp; in an image src-attribute for us.
Will stick to 4.2.18 for now.
Eventually might need to upgrade to v5 anyways.

@dummdidumm
Copy link
Member Author

Can you provide a reproduction?

@escapedcat
Copy link

escapedcat commented Jan 17, 2025
edited
Loading

Not worth it I think. Wanted to mention it, if other people run into this.
High chance this might be related to a special usage. First time I'm looking into Svelte in an existing project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dummdidumm @Pierrci @Uzume @escapedcat @Rich-Harris