@sveltejs/kit 1.0.0-next.267 → 1.0.0-next.268

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/assets/server/index.js +23 -36
  2. package/dist/chunks/index5.js +13 -0
  3. package/dist/cli.js +2 -2
  4. package/package.json +1 -1
package/assets/server/index.js CHANGED
@@ -485,52 +485,29 @@ function coalesce_to_error(err) {
485
485
  : new Error(JSON.stringify(err));
486
486
  }
487
487
 
488
+ // dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
488
489
  /** @type {Record<string, string>} */
489
490
  const escape_json_in_html_dict = {
490
- '&': '\\u0026',
491
- '>': '\\u003e',
492
- '<': '\\u003c',
493
- '\u2028': '\\u2028',
494
- '\u2029': '\\u2029'
495
- };
496
-
497
- /** @type {Record<string, string>} */
498
- const escape_json_value_in_html_dict = {
499
- '"': '\\"',
500
491
  '<': '\\u003C',
501
492
  '>': '\\u003E',
502
493
  '/': '\\u002F',
503
- '\\': '\\\\',
504
- '\b': '\\b',
505
- '\f': '\\f',
506
- '\n': '\\n',
507
- '\r': '\\r',
508
- '\t': '\\t',
509
- '\0': '\\0',
510
494
  '\u2028': '\\u2028',
511
495
  '\u2029': '\\u2029'
512
496
  };
513
497
 
514
- /**
515
- * Escape a stringified JSON object that's going to be embedded in a `<script>` tag
516
- * @param {string} str
517
- */
518
- function escape_json_in_html(str) {
519
- // adapted from https://github.com/vercel/next.js/blob/694407450638b037673c6d714bfe4126aeded740/packages/next/server/htmlescape.ts
520
- // based on https://github.com/zertosh/htmlescape
521
- // License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE
522
- return str.replace(/[&><\u2028\u2029]/g, (match) => escape_json_in_html_dict[match]);
523
- }
498
+ const escape_json_in_html_regex = new RegExp(
499
+ `[${Object.keys(escape_json_in_html_dict).join('')}]`,
500
+ 'g'
501
+ );
524
502
 
525
503
  /**
526
- * Escape a string JSON value to be embedded into a `<script>` tag
527
- * @param {string} str
504
+ * Escape a JSONValue that's going to be embedded in a `<script>` tag
505
+ * @param {import("@sveltejs/kit/types/helper").JSONValue} val
528
506
  */
529
- function escape_json_value_in_html(str) {
530
- return escape(
531
- str,
532
- escape_json_value_in_html_dict,
533
- (code) => `\\u${code.toString(16).toUpperCase()}`
507
+ function escape_json_in_html(val) {
508
+ return JSON.stringify(val).replace(
509
+ escape_json_in_html_regex,
510
+ (match) => escape_json_in_html_dict[match]
534
511
  );
535
512
  }
536
513
 
@@ -1303,7 +1280,7 @@ async function render_response({
1303
1280
 
1304
1281
  if (shadow_props) {
1305
1282
  // prettier-ignore
1306
- body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(s(shadow_props))}</script>`;
1283
+ body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(shadow_props)}</script>`;
1307
1284
  }
1308
1285
  }
1309
1286
 
@@ -1758,11 +1735,21 @@ async function load_node({
1758
1735
  }
1759
1736
 
1760
1737
  if (!opts.body || typeof opts.body === 'string') {
1738
+ // the json constructed below is later added to the dom in a script tag
1739
+ // make sure the used values are safe
1740
+ const status_number = Number(response.status);
1741
+ if (isNaN(status_number)) {
1742
+ throw new Error(
1743
+ `response.status is not a number. value: "${
1744
+ response.status
1745
+ }" type: ${typeof response.status}`
1746
+ );
1747
+ }
1761
1748
  // prettier-ignore
1762
1749
  fetched.push({
1763
1750
  url: requested,
1764
1751
  body: /** @type {string} */ (opts.body),
1765
- json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":"${escape_json_value_in_html(body)}"}`
1752
+ json: `{"status":${status_number},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
1766
1753
  });
1767
1754
  }
1768
1755
 
package/dist/chunks/index5.js CHANGED
@@ -347,7 +347,20 @@ function crawl(html) {
347
347
  return hrefs;
348
348
  }
349
349
 
350
+ // dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
350
351
  /** @type {Record<string, string>} */
352
+ const escape_json_in_html_dict = {
353
+ '<': '\\u003C',
354
+ '>': '\\u003E',
355
+ '/': '\\u002F',
356
+ '\u2028': '\\u2028',
357
+ '\u2029': '\\u2029'
358
+ };
359
+
360
+ new RegExp(
361
+ `[${Object.keys(escape_json_in_html_dict).join('')}]`,
362
+ 'g'
363
+ );
351
364
 
352
365
  /**
353
366
  * @param str {string} string to escape
package/dist/cli.js CHANGED
@@ -998,7 +998,7 @@ async function launch(port, https) {
998
998
  exec(`${cmd} ${https ? 'https' : 'http'}://localhost:${port}`);
999
999
  }
1000
1000
 
1001
- const prog = sade('svelte-kit').version('1.0.0-next.267');
1001
+ const prog = sade('svelte-kit').version('1.0.0-next.268');
1002
1002
 
1003
1003
  prog
1004
1004
  .command('dev')
@@ -1156,7 +1156,7 @@ async function check_port(port) {
1156
1156
  function welcome({ port, host, https, open, loose, allow, cwd }) {
1157
1157
  if (open) launch(port, https);
1158
1158
 
1159
- console.log($.bold().cyan(`\n SvelteKit v${'1.0.0-next.267'}\n`));
1159
+ console.log($.bold().cyan(`\n SvelteKit v${'1.0.0-next.268'}\n`));
1160
1160
 
1161
1161
  const protocol = https ? 'https:' : 'http:';
1162
1162
  const exposed = typeof host !== 'undefined' && host !== 'localhost' && host !== '127.0.0.1';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@sveltejs/kit",
3
- "version": "1.0.0-next.267",
3
+ "version": "1.0.0-next.268",
4
4
  "repository": {
5
5
  "type": "git",
6
6
  "url": "https://github.com/sveltejs/kit",