-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: v2 release #6903
base: main
Are you sure you want to change the base?
refactor: v2 release #6903
Conversation
🦋 Changeset detectedLatest commit: 48f882a The changes in this PR will be included in the next version bump. This PR includes no changesetsWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
} | ||
errorDiv.setAttribute('q:key', '_error_'); | ||
const journal: VNodeJournal = []; | ||
vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child)); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
DOM text
DOM text
DOM text
DOM text
} else if (key === 'value' && key in element) { | ||
(element as any).value = escapeHTML(String(value)); | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
DOM text
DOM text
DOM text
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 7 days ago
To fix the problem, we need to ensure that any data assigned to innerHTML
is properly sanitized to prevent XSS attacks. The best way to fix this without changing existing functionality is to use a function that escapes HTML special characters before assigning the value to innerHTML
.
- Import or define a function to escape HTML special characters.
- Use this function to sanitize the
value
before assigning it toinnerHTML
.
-
Copy modified line R896
@@ -895,3 +895,3 @@ | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; | ||
(element as any).innerHTML = escapeHTML(String(value)); | ||
} else { |
const insertBefore = journal[idx++] as Element | Text | null; | ||
let newChild: any; | ||
while (idx < length && typeof (newChild = journal[idx]) !== 'number') { | ||
insertParent.insertBefore(newChild, insertBefore); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
DOM text
DOM text
DOM text
DOM text
fix(repl): unbreak
they are not being used
this avoids having to transpile the vite.config.mts file, which sometimes causes eslint errors during builds
fix(v2): various dev fixes
v2: make optimizer async + remove fs
feat(v2): add nesting error file location
chore: merge main into v2
chore: merge main
fix: wait for QRL to resolve for signal attribute
Revert "fix: wait for QRL to resolve for signal attribute"
fix: input's value is string when passing number
fix: convert destructured array's props to signal
fix(repl): resolve core/internal
…throw fix: retry vnode diffing on promise throw
fix: component props as var props
feat: log a warning instead of throwing an error for server host mismatch error
chore: cleanup and docs fixes
Version Packages (alpha) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Fix vNode serialization issue on server$
} | ||
|
||
if (key === dangerouslySetInnerHTML) { | ||
element.innerHTML = value as string; |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 days ago
To fix the problem, we need to ensure that any text assigned to innerHTML
is properly sanitized to prevent XSS attacks. The best way to fix this without changing existing functionality is to use a function that escapes HTML special characters before assigning the value to innerHTML
.
- Import the
escapeHTML
function from thecharacter-escaping
module. - Use the
escapeHTML
function to sanitize thevalue
before assigning it toinnerHTML
.
-
Copy modified line R657
@@ -656,3 +656,3 @@ | ||
if (key === dangerouslySetInnerHTML) { | ||
element.innerHTML = value as string; | ||
element.innerHTML = escapeHTML(value as string); | ||
element.setAttribute(QContainerAttr, QContainerValue.HTML); |
This PR is for showing progress on v2, and having installable npm packages.
DO NOT MERGE
The changes are meant to be readable and maintainable, so if things are unclear please let us know.