@sveltejs/kit 1.0.0-next.267 → 1.0.0-next.270

package/assets/client/start.js

@@ -1282,7 +1282,7 @@ class Renderer {
 							`${url.pathname}${url.pathname.endsWith('/') ? '' : '/'}__data.json`,
 							{
 								headers: {
-									'x-sveltekit-noredirect': 'true'
+									'x-sveltekit-load': 'true'
 								}
 							}
 						);

package/assets/server/index.js

@@ -88,6 +88,14 @@ function is_pojo(body) {
 
 	return true;
 }
+/**
+ * @param {import('types/hooks').RequestEvent} event
+ * @returns string
+ */
+function normalize_request_method(event) {
+	const method = event.request.method.toLowerCase();
+	return method === 'delete' ? 'del' : method; // 'delete' is a reserved word
+}
 
 /** @param {string} body */
 function error(body) {
@@ -127,9 +135,14 @@ function is_text(content_type) {
  * @returns {Promise<Response | undefined>}
  */
 async function render_endpoint(event, mod) {
+	const method = normalize_request_method(event);
+
 	/** @type {import('types/endpoint').RequestHandler} */
-	const handler = mod[event.request.method.toLowerCase().replace('delete', 'del')]; // 'delete' is a reserved word
+	let handler = mod[method];
 
+	if (!handler && method === 'head') {
+		handler = mod.get;
+	}
 	if (!handler) {
 		return;
 	}
@@ -179,7 +192,7 @@ async function render_endpoint(event, mod) {
 		}
 	}
 
-	return new Response(normalized_body, {
+	return new Response(method !== 'head' ? normalized_body : undefined, {
 		status,
 		headers
 	});
@@ -485,52 +498,29 @@ function coalesce_to_error(err) {
 		: new Error(JSON.stringify(err));
 }
 
+// dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
 /** @type {Record<string, string>} */
 const escape_json_in_html_dict = {
-	'&': '\\u0026',
-	'>': '\\u003e',
-	'<': '\\u003c',
-	'\u2028': '\\u2028',
-	'\u2029': '\\u2029'
-};
-
-/** @type {Record<string, string>} */
-const escape_json_value_in_html_dict = {
-	'"': '\\"',
 	'<': '\\u003C',
 	'>': '\\u003E',
 	'/': '\\u002F',
-	'\\': '\\\\',
-	'\b': '\\b',
-	'\f': '\\f',
-	'\n': '\\n',
-	'\r': '\\r',
-	'\t': '\\t',
-	'\0': '\\0',
 	'\u2028': '\\u2028',
 	'\u2029': '\\u2029'
 };
 
-/**
- * Escape a stringified JSON object that's going to be embedded in a `<script>` tag
- * @param {string} str
- */
-function escape_json_in_html(str) {
-	// adapted from https://github.com/vercel/next.js/blob/694407450638b037673c6d714bfe4126aeded740/packages/next/server/htmlescape.ts
-	// based on https://github.com/zertosh/htmlescape
-	// License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE
-	return str.replace(/[&><\u2028\u2029]/g, (match) => escape_json_in_html_dict[match]);
-}
+const escape_json_in_html_regex = new RegExp(
+	`[${Object.keys(escape_json_in_html_dict).join('')}]`,
+	'g'
+);
 
 /**
- * Escape a string JSON value to be embedded into a `<script>` tag
- * @param {string} str
+ * Escape a JSONValue that's going to be embedded in a `<script>` tag
+ * @param {import("@sveltejs/kit/types/helper").JSONValue} val
  */
-function escape_json_value_in_html(str) {
-	return escape(
-		str,
-		escape_json_value_in_html_dict,
-		(code) => `\\u${code.toString(16).toUpperCase()}`
+function escape_json_in_html(val) {
+	return JSON.stringify(val).replace(
+		escape_json_in_html_regex,
+		(match) => escape_json_in_html_dict[match]
 	);
 }
 
@@ -1303,7 +1293,7 @@ async function render_response({
 
 			if (shadow_props) {
 				// prettier-ignore
-				body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(s(shadow_props))}</script>`;
+				body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(shadow_props)}</script>`;
 			}
 		}
 
@@ -1573,6 +1563,7 @@ async function load_node({
 		? await load_shadow_data(
 				/** @type {import('types/internal').SSRPage} */ (route),
 				event,
+				options,
 				!!state.prerender
 		  )
 		: {};
@@ -1758,11 +1749,21 @@ async function load_node({
 							}
 
 							if (!opts.body || typeof opts.body === 'string') {
+								// the json constructed below is later added to the dom in a script tag
+								// make sure the used values are safe
+								const status_number = Number(response.status);
+								if (isNaN(status_number)) {
+									throw new Error(
+										`response.status is not a number. value: "${
+											response.status
+										}" type: ${typeof response.status}`
+									);
+								}
 								// prettier-ignore
 								fetched.push({
 									url: requested,
 									body: /** @type {string} */ (opts.body),
-									json: `{"status":${response.status},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":"${escape_json_value_in_html(body)}"}`
+									json: `{"status":${status_number},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
 								});
 							}
 
@@ -1867,10 +1868,11 @@ async function load_node({
  *
  * @param {import('types/internal').SSRPage} route
  * @param {import('types/hooks').RequestEvent} event
+ * @param {import('types/internal').SSROptions} options
  * @param {boolean} prerender
  * @returns {Promise<import('types/endpoint').ShadowData>}
  */
-async function load_shadow_data(route, event, prerender) {
+async function load_shadow_data(route, event, options, prerender) {
 	if (!route.shadow) return {};
 
 	try {
@@ -1880,10 +1882,11 @@ async function load_shadow_data(route, event, prerender) {
 			throw new Error('Cannot prerender pages that have shadow endpoints with mutative methods');
 		}
 
-		const method = event.request.method.toLowerCase().replace('delete', 'del');
-		const handler = mod[method];
+		const method = normalize_request_method(event);
+		const is_get = method === 'head' || method === 'get';
+		const handler = method === 'head' ? mod.head || mod.get : mod[method];
 
-		if (!handler) {
+		if (!handler && !is_get) {
 			return {
 				status: 405,
 				error: new Error(`${method} method not allowed`)
@@ -1897,7 +1900,7 @@ async function load_shadow_data(route, event, prerender) {
 			body: {}
 		};
 
-		if (method !== 'get') {
+		if (!is_get) {
 			const result = await handler(event);
 
 			if (result.fallthrough) return result;
@@ -1921,8 +1924,9 @@ async function load_shadow_data(route, event, prerender) {
 			data.body = body;
 		}
 
-		if (mod.get) {
-			const result = await mod.get.call(null, event);
+		const get = (method === 'head' && mod.head) || mod.get;
+		if (get) {
+			const result = await get(event);
 
 			if (result.fallthrough) return result;
 
@@ -1947,9 +1951,12 @@ async function load_shadow_data(route, event, prerender) {
 
 		return data;
 	} catch (e) {
+		const error = coalesce_to_error(e);
+		options.handle_error(error, event);
+
 		return {
 			status: 500,
-			error: coalesce_to_error(e)
+			error
 		};
 	}
 }
@@ -2584,22 +2591,30 @@ async function respond(request, options, state = {}) {
 					if (is_data_request && route.type === 'page' && route.shadow) {
 						response = await render_endpoint(event, await route.shadow());
 
-						// since redirects are opaque to the browser, we need to repackage
-						// 3xx responses as 200s with a custom header
-						if (
-							response &&
-							response.status >= 300 &&
-							response.status < 400 &&
-							request.headers.get('x-sveltekit-noredirect') === 'true'
-						) {
-							const location = response.headers.get('location');
-
-							if (location) {
-								const headers = new Headers(response.headers);
-								headers.set('x-sveltekit-location', location);
-								response = new Response(undefined, {
-									status: 204,
-									headers
+						// loading data for a client-side transition is a special case
+						if (request.headers.get('x-sveltekit-load') === 'true') {
+							if (response) {
+								// since redirects are opaque to the browser, we need to repackage
+								// 3xx responses as 200s with a custom header
+								if (response.status >= 300 && response.status < 400) {
+									const location = response.headers.get('location');
+
+									if (location) {
+										const headers = new Headers(response.headers);
+										headers.set('x-sveltekit-location', location);
+										response = new Response(undefined, {
+											status: 204,
+											headers
+										});
+									}
+								}
+							} else {
+								// TODO ideally, the client wouldn't request this data
+								// in the first place (at least in production)
+								response = new Response('{}', {
+									headers: {
+										'content-type': 'application/json'
+									}
 								});
 							}
 						}

package/dist/chunks/index5.js

@@ -347,7 +347,20 @@ function crawl(html) {
 	return hrefs;
 }
 
+// dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
 /** @type {Record<string, string>} */
+const escape_json_in_html_dict = {
+	'<': '\\u003C',
+	'>': '\\u003E',
+	'/': '\\u002F',
+	'\u2028': '\\u2028',
+	'\u2029': '\\u2029'
+};
+
+new RegExp(
+	`[${Object.keys(escape_json_in_html_dict).join('')}]`,
+	'g'
+);
 
 /**
  * @param str {string} string to escape

package/dist/cli.js

@@ -998,7 +998,7 @@ async function launch(port, https) {
 	exec(`${cmd} ${https ? 'https' : 'http'}://localhost:${port}`);
 }
 
-const prog = sade('svelte-kit').version('1.0.0-next.267');
+const prog = sade('svelte-kit').version('1.0.0-next.270');
 
 prog
 	.command('dev')
@@ -1156,7 +1156,7 @@ async function check_port(port) {
 function welcome({ port, host, https, open, loose, allow, cwd }) {
 	if (open) launch(port, https);
 
-	console.log($.bold().cyan(`\n  SvelteKit v${'1.0.0-next.267'}\n`));
+	console.log($.bold().cyan(`\n  SvelteKit v${'1.0.0-next.270'}\n`));
 
 	const protocol = https ? 'https:' : 'http:';
 	const exposed = typeof host !== 'undefined' && host !== 'localhost' && host !== '127.0.0.1';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.267",
+  "version": "1.0.0-next.270",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",