Skip to content

Commit a0c7f28

Browse files
elliott-with-the-longest-name-on-githubelliott-with-the-longest-name-on-github
authored
Merge commit from fork
* fix: strip event handlers during SSR * whatever conduitry you're not that cool * tweak
1 parent 73098bb commit a0c7f28

File tree

4 files changed

+24
-0
lines changed

4 files changed

+24
-0
lines changed

.changeset/chilly-comics-wear.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'svelte': patch
3+
---
4+
5+
fix: strip event handlers during SSR

packages/svelte/src/internal/server/index.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,9 @@ export function attributes(attrs, css_hash, classes, styles, flags = 0) {
158158
name = name.toLowerCase();
159159
}
160160

161+
// omit event handler attributes
162+
if (name.length > 2 && name.startsWith('on')) continue;
163+
161164
if (is_input) {
162165
if (name === 'defaultvalue' || name === 'defaultchecked') {
163166
name = name === 'defaultvalue' ? 'value' : 'checked';

packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/_expected.html

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
<div id="profile-123" class="card">content</div>
2+
3+
<img src="x" alt="photo" />

packages/svelte/tests/server-side-rendering/samples/spread-attributes-event-handler-xss/main.svelte

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
<script>
2+
const userdata = {
3+
id: 'profile-123',
4+
class: 'card',
5+
onclick: 'alert(1)',
6+
onerror: 'alert(1)',
7+
onfocus: 'alert(1)',
8+
onmouseover: 'alert(1)'
9+
};
10+
</script>
11+
12+
<div {...userdata}>content</div>
13+
<img src="x" alt="photo" {...{ onerror: 'alert(1)', onload: 'alert(1)' }} />

0 commit comments

Comments
 (0)