airbnb/hypernova

Encode closing Tag

Open

#165 opened on Oct 9, 2019

View on GitHub
 (8 comments) (4 reactions) (0 assignees)JavaScript (249 forks)batch import
bughelp wanted

Repository metrics

Stars
 (5,831 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Currently encoding in the index.js only includes

const ENCODE = [
  ['&', '&'],
  ['>', '>'],
];

If a component is being rendered SSR and includes a property with a closing script tag, the script tag in the SSrendered HTML will close the hypernova script.

<script type="application/json" data-hypernova-key="App" data-hypernova-id="....">
   <!-- {"props": ..., "title":"</script "} 

which will throw an error in the JSON.parse method of the payload.

is there a reason closing tags are not encoded here ? Following changes would suffice:

var ENCODE = [
['&', '&amp;'],
['>', '&gt;'],
['<', '&lt;']
];

Contributor guide