Skip to content

Commit

Permalink
fix(create): Do not HTML escape strings used in the config file
Browse files Browse the repository at this point in the history
Fixes #1070
  • Loading branch information
michaelbromley committed Sep 13, 2021
1 parent 1ebc872 commit 954c03a
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 20 deletions.
29 changes: 14 additions & 15 deletions packages/create/src/gather-user-responses.ts
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,8 @@ export async function gatherUserResponses(root: string): Promise<UserResponses>
process.exit(0);
}

const {
indexSource,
indexWorkerSource,
configSource,
migrationSource,
readmeSource,
} = await generateSources(root, answers);
const { indexSource, indexWorkerSource, configSource, migrationSource, readmeSource } =
await generateSources(root, answers);
return {
indexSource,
indexWorkerSource,
Expand Down Expand Up @@ -148,13 +143,8 @@ export async function gatherCiUserResponses(root: string): Promise<UserResponses
superadminIdentifier: SUPER_ADMIN_USER_IDENTIFIER,
superadminPassword: SUPER_ADMIN_USER_PASSWORD,
};
const {
indexSource,
indexWorkerSource,
configSource,
migrationSource,
readmeSource,
} = await generateSources(root, ciAnswers);
const { indexSource, indexWorkerSource, configSource, migrationSource, readmeSource } =
await generateSources(root, ciAnswers);
return {
indexSource,
indexWorkerSource,
Expand Down Expand Up @@ -184,6 +174,15 @@ async function generateSources(
}> {
const assetPath = (fileName: string) => path.join(__dirname, '../assets', fileName);

/**
* Helper to escape single quotes only. Used when generating the config file since e.g. passwords
* might use special chars (`< > ' "` etc) which Handlebars would be default convert to HTML entities.
* Instead, we disable escaping and use this custom helper to escape only the single quote character.
*/
Handlebars.registerHelper('escapeSingle', (aString: unknown) => {
return typeof aString === 'string' ? aString.replace(`'`, `\\'`) : aString;
});

const templateContext = {
...answers,
dbType: answers.dbType === 'sqlite' ? 'better-sqlite3' : answers.dbType,
Expand All @@ -194,7 +193,7 @@ async function generateSources(
requiresConnection: answers.dbType !== 'sqlite' && answers.dbType !== 'sqljs',
};
const configTemplate = await fs.readFile(assetPath('vendure-config.hbs'), 'utf-8');
const configSource = Handlebars.compile(configTemplate)(templateContext);
const configSource = Handlebars.compile(configTemplate, { noEscape: true })(templateContext);
const indexTemplate = await fs.readFile(assetPath('index.hbs'), 'utf-8');
const indexSource = Handlebars.compile(indexTemplate)(templateContext);
const indexWorkerTemplate = await fs.readFile(assetPath('index-worker.hbs'), 'utf-8');
Expand Down
10 changes: 5 additions & 5 deletions packages/create/templates/vendure-config.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -45,24 +45,24 @@ const path = require('path');
},
authOptions: {
superadminCredentials: {
identifier: '{{ superadminIdentifier }}',
password: '{{ superadminPassword }}',
identifier: '{{{ escapeSingle superadminIdentifier }}}',
password: '{{{ escapeSingle superadminPassword }}}',
},
},
dbConnectionOptions: {
type: '{{ dbType }}',
synchronize: true, // turn this off for production
logging: false,
database: {{#if isSQLjs}}new Uint8Array([]){{else if isSQLite}}path.join(__dirname, '../vendure.sqlite'){{else}}'{{ dbName }}'{{/if}},
database: {{#if isSQLjs}}new Uint8Array([]){{else if isSQLite}}path.join(__dirname, '../vendure.sqlite'){{else}}'{{{ escapeSingle dbName }}}'{{/if}},
{{#if isSQLjs}}
location: path.join(__dirname, 'vendure.sqlite'),
autoSave: true,
{{/if}}
{{#if requiresConnection}}
host: '{{ dbHost }}',
port: {{ dbPort }},
username: '{{ dbUserName }}',
password: '{{ dbPassword }}',
username: '{{{ escapeSingle dbUserName }}}',
password: '{{{ escapeSingle dbPassword }}}',
{{/if}}
migrations: [path.join(__dirname, '../migrations/*.ts')],
},
Expand Down

0 comments on commit 954c03a

Please sign in to comment.