@lwrjs/view-registry 0.23.4 → 0.23.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/cjs/linkers/utils.cjs +5 -5
  2. package/build/es/linkers/utils.js +9 -6
  3. package/package.json +8 -8
package/build/cjs/linkers/utils.cjs CHANGED
@@ -63,12 +63,12 @@ function getViewBootstrapConfigurationResource(viewInfo, config, runtimeEnvironm
63
63
  "/* This script is generated */",
64
64
  "/* Client Bootstrap configuration */",
65
65
  `globalThis.LWR = globalThis.LWR || {};`,
66
- `Object.assign(globalThis.LWR, ${JSON.stringify({
66
+ `Object.assign(globalThis.LWR, ${(0, import_shared_utils.serializeForScript)({
67
67
  ...config,
68
68
  endpoints
69
69
  })});`,
70
- `globalThis.LWR = {...globalThis.LWR, env: ${JSON.stringify(lwrEnv)}};`,
71
- `globalThis.process={...globalThis.process,env:{...globalThis.process?.env,...${JSON.stringify(nodeEnv)}}};`,
70
+ `globalThis.LWR = {...globalThis.LWR, env: ${(0, import_shared_utils.serializeForScript)(lwrEnv)}};`,
71
+ `globalThis.process={...globalThis.process,env:{...globalThis.process?.env,...${(0, import_shared_utils.serializeForScript)(nodeEnv)}}};`,
72
72
  `globalThis.lwcRuntimeFlags = { ENABLE_MIXED_SHADOW_MODE: ${viewInfo.mixedMode}, ENABLE_WIRE_SYNC_EMIT: ${viewInfo.ssr} };`,
73
73
  warnings?.length && warnMessages
74
74
  ].filter(Boolean).join("\n");
@@ -103,8 +103,8 @@ function getViewHmrConfigurationResource(view, viewMetadata) {
103
103
  /* generated View/HMR debug script */
104
104
  globalThis._lwrRuntimeDebug = {
105
105
  viewMetadata: {
106
- assetReferences: ${JSON.stringify(refs)},
107
- templates: ${JSON.stringify([contentTemplate, layoutTemplate].filter(Boolean))}
106
+ assetReferences: ${(0, import_shared_utils.serializeForScript)(refs)},
107
+ templates: ${(0, import_shared_utils.serializeForScript)([contentTemplate, layoutTemplate].filter(Boolean))}
108
108
  }
109
109
  }
110
110
  `
package/build/es/linkers/utils.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import { stringifyError } from '@lwrjs/diagnostics';
2
- import { buildEnvironmentContext, getMappingUriPrefix, getModuleUriPrefix, getClientBootstrapConfigurationUri, hashContent, } from '@lwrjs/shared-utils';
2
+ import { buildEnvironmentContext, getMappingUriPrefix, getModuleUriPrefix, getClientBootstrapConfigurationUri, hashContent, serializeForScript, } from '@lwrjs/shared-utils';
3
3
  const CONTENT_TYPE = 'application/javascript';
4
4
  export function getViewBootstrapConfigurationResource(viewInfo, config, runtimeEnvironment, runtimeParams, warnings) {
5
5
  const { compat, debug, hmrEnabled, apiVersion, format } = runtimeEnvironment;
@@ -36,12 +36,15 @@ export function getViewBootstrapConfigurationResource(viewInfo, config, runtimeE
36
36
  '/* This script is generated */',
37
37
  '/* Client Bootstrap configuration */',
38
38
  `globalThis.LWR = globalThis.LWR || {};`,
39
- `Object.assign(globalThis.LWR, ${JSON.stringify({
39
+ // serializeForScript (not JSON.stringify) so request-derived values such as
40
+ // config.serverData.routeParams cannot break out of this inline <script>
41
+ // element via a forged </script> sequence (CWE-79, W-23040697).
42
+ `Object.assign(globalThis.LWR, ${serializeForScript({
40
43
  ...config,
41
44
  endpoints,
42
45
  })});`,
43
- `globalThis.LWR = {...globalThis.LWR, env: ${JSON.stringify(lwrEnv)}};`,
44
- `globalThis.process={...globalThis.process,env:{...globalThis.process?.env,...${JSON.stringify(nodeEnv)}}};`,
46
+ `globalThis.LWR = {...globalThis.LWR, env: ${serializeForScript(lwrEnv)}};`,
47
+ `globalThis.process={...globalThis.process,env:{...globalThis.process?.env,...${serializeForScript(nodeEnv)}}};`,
45
48
  // TODO: evaluate moving these to app layer
46
49
  `globalThis.lwcRuntimeFlags = { ENABLE_MIXED_SHADOW_MODE: ${viewInfo.mixedMode}, ENABLE_WIRE_SYNC_EMIT: ${viewInfo.ssr} };`,
47
50
  warnings?.length && warnMessages,
@@ -83,8 +86,8 @@ export function getViewHmrConfigurationResource(view, viewMetadata) {
83
86
  /* generated View/HMR debug script */
84
87
  globalThis._lwrRuntimeDebug = {
85
88
  viewMetadata: {
86
- assetReferences: ${JSON.stringify(refs)},
87
- templates: ${JSON.stringify([contentTemplate, layoutTemplate].filter(Boolean))}
89
+ assetReferences: ${serializeForScript(refs)},
90
+ templates: ${serializeForScript([contentTemplate, layoutTemplate].filter(Boolean))}
88
91
  }
89
92
  }
90
93
  `,
package/package.json CHANGED
@@ -4,7 +4,7 @@
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },
7
- "version": "0.23.4",
7
+ "version": "0.23.6",
8
8
  "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
9
9
  "repository": {
10
10
  "type": "git",
@@ -33,15 +33,15 @@
33
33
  "build": "tsc -b"
34
34
  },
35
35
  "dependencies": {
36
- "@lwrjs/app-service": "0.23.4",
37
- "@lwrjs/config": "0.23.4",
38
- "@lwrjs/diagnostics": "0.23.4",
39
- "@lwrjs/instrumentation": "0.23.4",
40
- "@lwrjs/shared-utils": "0.23.4",
36
+ "@lwrjs/app-service": "0.23.6",
37
+ "@lwrjs/config": "0.23.6",
38
+ "@lwrjs/diagnostics": "0.23.6",
39
+ "@lwrjs/instrumentation": "0.23.6",
40
+ "@lwrjs/shared-utils": "0.23.6",
41
41
  "lru-cache": "^10.4.3"
42
42
  },
43
43
  "devDependencies": {
44
- "@lwrjs/types": "0.23.4"
44
+ "@lwrjs/types": "0.23.6"
45
45
  },
46
46
  "engines": {
47
47
  "node": ">=22.0.0"
@@ -49,5 +49,5 @@
49
49
  "volta": {
50
50
  "extends": "../../../package.json"
51
51
  },
52
- "gitHead": "dedca0fa75a00da4cb52d49e4ed507b242fe0d63"
52
+ "gitHead": "39e89890152606679168b0e6beb972e0b1aa47ba"
53
53
  }