Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server-islands: only encode ETAGO delimiter + opening HTML comment syntax #11513

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

server-islands: only encode ETAGO delimiter + opening HTML comment syntax #11513

wants to merge 8 commits into from

Conversation

kurtextrem
Copy link
Contributor

@kurtextrem kurtextrem commented Jul 20, 2024
edited
Loading

Changes

As per https://mathiasbynens.be/notes/etago, to make JSON safe inside a <script> literal, you need to only encode end-open tag (ETAGO) delimiters and <!--. Thus, we can avoid some work. I've also hoisted the regexps so that we only initialize them once.

Regarding the removal of 0x2029 and 0x2028 added in #11508, to me it does not seem security related to escape those, jsesc notes:

avoid errors when passing JSON-formatted data (which may contain U+2028 LINE SEPARATOR, U+2029 PARAGRAPH SEPARATOR, or lone surrogates) to a JavaScript parser or an UTF-8 encoder.

Which does not seem relevant in the server-islands case. Did I miss anything here?

Testing

I used the following snippet by @ascorbic:
image

Docs

Only a small perf related change, so no further docs needed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 20, 2024
edited
Loading

🦋 Changeset detected

Latest commit: a0d1205

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Jul 20, 2024
@kurtextrem kurtextrem force-pushed the perf/server-islands-json branch from ed1f3ec to 87aa1f6 Compare July 20, 2024 10:54
@matthewp
Copy link
Contributor

Thanks @kurtextrem! Would you mind adding a test for this? You can add one here: https://github.com/withastro/astro/blob/main/packages/astro/test/server-islands.test.js (see the fixtures being used). The last PR was a hot-fix so a test didn't get added for urgency but now since the problem is fixed it would be good to have a test to prevent regressions.

@florian-lefebvre
Copy link
Member

@kurtextrem are you still interested in this PR? It would just need a test to move forward

@florian-lefebvre florian-lefebvre added the needs response Issue needs response from OP label Nov 13, 2024
@kurtextrem
Copy link
Contributor Author

@florian-lefebvre Sorry, yeah - I am. The only unclear thing is how extensive we want to test this.

@matthewp
Copy link
Contributor

@kurtextrem it doesn't need to be that extensive, we just want to make sure that scripts can't be injected mostly.

@ematipico
Copy link
Member

@kurtextrem, are you still interested in finishing the PR?

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Jan 8, 2025
edited
Loading

CodSpeed Performance Report

Merging #11513 will not alter performance

Comparing kurtextrem:perf/server-islands-json (a0d1205) with main (35d77b4)

Summary

✅ 6 untouched benchmarks

@florian-lefebvre florian-lefebvre removed the needs response Issue needs response from OP label Jan 8, 2025
ematipico
ematipico approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@ematipico ematipico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a nit. Looks good!

packages/astro/src/runtime/server/render/server-islands.ts Outdated Show resolved Hide resolved
ascorbic
ascorbic reviewed Jan 8, 2025
View reviewed changes
packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro Outdated
@@ -1,12 +1,14 @@
---
import Island from '../components/Island.astro';

const xssMe ="</script><script>alert('xss')</script>"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be good to have a couple more examples in the test, particularly one that uses a comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really familiar with what could through, examples welcome

Copy link
Contributor Author

@kurtextrem kurtextrem Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably something like '"<!--"</script>'. Thank you for taking this over.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@florian-lefebvre florian-lefebvre florian-lefebvre left review comments

@ematipico ematipico ematipico approved these changes

@ascorbic ascorbic Awaiting requested review from ascorbic

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kurtextrem @matthewp @florian-lefebvre @ematipico @ascorbic