Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: escape < in attribute strings #12989

Merged
merged 5 commits into from
Aug 23, 2024
Merged

fix: escape < in attribute strings #12989

merged 5 commits into from
Aug 23, 2024

Conversation

dummdidumm
Copy link
Member

Svelte 4 version of #11411

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests and linting

  • Run the tests with pnpm test and lint the project with pnpm lint

Copy link

changeset-bot bot commented Aug 23, 2024

🦋 Changeset detected

Latest commit: fb22bd9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dummdidumm dummdidumm merged commit 83e96e0 into svelte-4 Aug 23, 2024
8 checks passed
@dummdidumm dummdidumm deleted the escape-attr branch August 23, 2024 16:08
@github-actions github-actions bot mentioned this pull request Aug 23, 2024
@Pierrci
Copy link

Pierrci commented Aug 30, 2024

Is there any chance this could be backported to Svelte 3, too? 😅

@Uzume
Copy link

Uzume commented Sep 15, 2024

It seems like this issue was introduced in #5701. This is a great example of both performance sensitive and security sensitive code.

It seems like #8434 is no longer needed as this PR (re)introduces < always being HTML entity escaped in attributes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants