@sveltejs/kit 1.0.0-next.286 → 1.0.0-next.289

package/assets/client/start.js

@@ -76,7 +76,7 @@ class Router {
 	 *    base: string;
 	 *    routes: import('types').CSRRoute[];
 	 *    trailing_slash: import('types').TrailingSlash;
-	 *    renderer: import('./renderer').Renderer
+	 *    renderer: import('./renderer').Renderer;
 	 * }} opts
 	 */
 	constructor({ base, routes, trailing_slash, renderer }) {
@@ -93,9 +93,6 @@ class Router {
 		this.enabled = true;
 		this.initialized = false;
 
-		// make it possible to reset focus
-		document.body.setAttribute('tabindex', '-1');
-
 		// keeping track of the history index in order to prevent popstate navigation events if needed
 		this.current_history_index = history.state?.['sveltekit:index'] ?? 0;
 
@@ -313,8 +310,7 @@ class Router {
 				id: url.pathname + url.search,
 				routes: this.routes.filter(([pattern]) => pattern.test(path)),
 				url,
-				path,
-				initial: !this.initialized
+				path
 			};
 		}
 	}
@@ -658,12 +654,12 @@ function create_updated_store() {
  * @param {RequestInit} [opts]
  */
 function initial_fetch(resource, opts) {
-	const url = typeof resource === 'string' ? resource : resource.url;
+	const url = JSON.stringify(typeof resource === 'string' ? resource : resource.url);
 
-	let selector = `script[data-type="svelte-data"][data-url=${JSON.stringify(url)}]`;
+	let selector = `script[sveltekit\\:data-type="data"][sveltekit\\:data-url=${url}]`;
 
 	if (opts && typeof opts.body === 'string') {
-		selector += `[data-body="${hash(opts.body)}"]`;
+		selector += `[sveltekit\\:data-body="${hash(opts.body)}"]`;
 	}
 
 	const script = document.querySelector(selector);
@@ -782,7 +778,7 @@ class Renderer {
 				let props;
 
 				if (is_leaf) {
-					const serialized = document.querySelector('[data-type="svelte-props"]');
+					const serialized = document.querySelector('script[sveltekit\\:data-type="props"]');
 					if (serialized) {
 						props = JSON.parse(/** @type {string} */ (serialized.textContent));
 					}
@@ -879,6 +875,14 @@ class Renderer {
 		const token = (this.token = {});
 		let navigation_result = await this._get_navigation_result(info, no_cache);
 
+		if (!navigation_result && info.url.pathname === location.pathname) {
+			navigation_result = await this._load_error({
+				status: 404,
+				error: new Error(`Not found: ${info.url.pathname}`),
+				url: info.url
+			});
+		}
+
 		if (!navigation_result) {
 			location.href = info.url.href;
 			return;
@@ -932,8 +936,24 @@ class Renderer {
 			const { scroll, keepfocus } = opts;
 
 			if (!keepfocus) {
+				// Reset page selection and focus
+				// We try to mimick browsers' behaviour as closely as possible by targeting the
+				// viewport, but unfortunately it's not a perfect match — e.g. shift-tabbing won't
+				// immediately cycle from the end of the page
+				// See https://html.spec.whatwg.org/multipage/interaction.html#get-the-focusable-area
+				const root = document.documentElement;
+				const tabindex = root.getAttribute('tabindex');
+
 				getSelection()?.removeAllRanges();
-				document.body.focus();
+				root.tabIndex = -1;
+				root.focus();
+
+				// restore `tabindex` as to prevent the document from stealing input from elements
+				if (tabindex !== null) {
+					root.setAttribute('tabindex', tabindex);
+				} else {
+					root.removeAttribute('tabindex');
+				}
 			}
 
 			// need to render the DOM before we can scroll to the rendered elements
@@ -1070,14 +1090,6 @@ class Renderer {
 			);
 			if (result) return result;
 		}
-
-		if (info.initial) {
-			return await this._load_error({
-				status: 404,
-				error: new Error(`Not found: ${info.url.pathname}`),
-				url: info.url
-			});
-		}
 	}
 
 	/**

package/assets/server/index.js

@@ -498,30 +498,62 @@ function coalesce_to_error(err) {
 		: new Error(JSON.stringify(err));
 }
 
-// dict from https://github.com/yahoo/serialize-javascript/blob/183c18a776e4635a379fdc620f81771f219832bb/index.js#L25
-/** @type {Record<string, string>} */
-const escape_json_in_html_dict = {
+/**
+ * Inside a script element, only `</script` and `<!--` hold special meaning to the HTML parser.
+ *
+ * The first closes the script element, so everything after is treated as raw HTML.
+ * The second disables further parsing until `-->`, so the script element might be unexpectedly
+ * kept open until until an unrelated HTML comment in the page.
+ *
+ * U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR are escaped for the sake of pre-2018
+ * browsers.
+ *
+ * @see tests for unsafe parsing examples.
+ * @see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+ * @see https://html.spec.whatwg.org/multipage/syntax.html#cdata-rcdata-restrictions
+ * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-state
+ * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
+ * @see https://github.com/tc39/proposal-json-superset
+ * @type {Record<string, string>}
+ */
+const render_json_payload_script_dict = {
 	'<': '\\u003C',
-	'>': '\\u003E',
-	'/': '\\u002F',
 	'\u2028': '\\u2028',
 	'\u2029': '\\u2029'
 };
 
-const escape_json_in_html_regex = new RegExp(
-	`[${Object.keys(escape_json_in_html_dict).join('')}]`,
+const render_json_payload_script_regex = new RegExp(
+	`[${Object.keys(render_json_payload_script_dict).join('')}]`,
 	'g'
 );
 
 /**
- * Escape a JSONValue that's going to be embedded in a `<script>` tag
- * @param {import('types').JSONValue} val
+ * Generates a raw HTML string containing a safe script element carrying JSON data and associated attributes.
+ *
+ * It escapes all the special characters needed to guarantee the element is unbroken, but care must
+ * be taken to ensure it is inserted in the document at an acceptable position for a script element,
+ * and that the resulting string isn't further modified.
+ *
+ * Attribute names must be type-checked so we don't need to escape them.
+ *
+ * @param {import('types').PayloadScriptAttributes} attrs A list of attributes to be added to the element.
+ * @param {import('types').JSONValue} payload The data to be carried by the element. Must be serializable to JSON.
+ * @returns {string} The raw HTML of a script element carrying the JSON payload.
+ * @example const html = render_json_payload_script({ type: 'data', url: '/data.json' }, { foo: 'bar' });
  */
-function escape_json_in_html(val) {
-	return JSON.stringify(val).replace(
-		escape_json_in_html_regex,
-		(match) => escape_json_in_html_dict[match]
+function render_json_payload_script(attrs, payload) {
+	const safe_payload = JSON.stringify(payload).replace(
+		render_json_payload_script_regex,
+		(match) => render_json_payload_script_dict[match]
 	);
+
+	let safe_attrs = '';
+	for (const [key, value] of Object.entries(attrs)) {
+		if (value === undefined) continue;
+		safe_attrs += ` sveltekit:data-${key}=${escape_html_attr(value)}`;
+	}
+
+	return `<script type="application/json"${safe_attrs}>${safe_payload}</script>`;
 }
 
 /**
@@ -1084,7 +1116,7 @@ async function render_response({
 	/** @type {Map<string, string>} */
 	const styles = new Map();
 
-	/** @type {Array<{ url: string, body: string, json: string }>} */
+	/** @type {Array<import('./types').Fetched>} */
 	const serialized_data = [];
 
 	let shadow_props;
@@ -1280,19 +1312,17 @@ async function render_response({
 
 			body += `\n\t\t<script ${attributes.join(' ')}>${init_app}</script>`;
 
-			// prettier-ignore
 			body += serialized_data
-				.map(({ url, body, json }) => {
-					let attributes = `type="application/json" data-type="svelte-data" data-url=${escape_html_attr(url)}`;
-					if (body) attributes += ` data-body="${hash(body)}"`;
-
-					return `<script ${attributes}>${json}</script>`;
-				})
+				.map(({ url, body, response }) =>
+					render_json_payload_script(
+						{ type: 'data', url, body: typeof body === 'string' ? hash(body) : undefined },
+						response
+					)
+				)
 				.join('\n\t');
 
 			if (shadow_props) {
-				// prettier-ignore
-				body += `<script type="application/json" data-type="svelte-props">${escape_json_in_html(shadow_props)}</script>`;
+				body += render_json_payload_script({ type: 'props' }, shadow_props);
 			}
 		}
 
@@ -1542,13 +1572,7 @@ async function load_node({
 
 	let uses_credentials = false;
 
-	/**
-	 * @type {Array<{
-	 *   url: string;
-	 *   body: string;
-	 *   json: string;
-	 * }>}
-	 */
+	/** @type {Array<import('./types').Fetched>} */
 	const fetched = [];
 
 	/**
@@ -1748,8 +1772,6 @@ async function load_node({
 							}
 
 							if (!opts.body || typeof opts.body === 'string') {
-								// the json constructed below is later added to the dom in a script tag
-								// make sure the used values are safe
 								const status_number = Number(response.status);
 								if (isNaN(status_number)) {
 									throw new Error(
@@ -1758,11 +1780,16 @@ async function load_node({
 										}" type: ${typeof response.status}`
 									);
 								}
-								// prettier-ignore
+
 								fetched.push({
 									url: requested,
-									body: /** @type {string} */ (opts.body),
-									json: `{"status":${status_number},"statusText":${s(response.statusText)},"headers":${s(headers)},"body":${escape_json_in_html(body)}}`
+									body: opts.body,
+									response: {
+										status: status_number,
+										statusText: response.statusText,
+										headers,
+										body
+									}
 								});
 							}
 
@@ -2516,7 +2543,6 @@ async function respond(request, options, state = {}) {
 		request,
 		url,
 		params: {},
-		// @ts-expect-error this picks up types that belong to the tests
 		locals: {},
 		platform: state.platform
 	};

package/dist/chunks/amp_hook.js

@@ -1,5 +1,5 @@
 /** @type {import('amphtml-validator').Validator} */
-const amp = await (await import('./index8.js').then(function (n) { return n.i; })).getInstance();
+const amp = await (await import('./index7.js').then(function (n) { return n.i; })).getInstance();
 
 /** @type {import('types').Handle} */
 async function handle({ event, resolve }) {

package/dist/chunks/index.js

@@ -1,12 +1,12 @@
 import path__default from 'path';
 import { svelte } from '@sveltejs/vite-plugin-svelte';
 import vite from 'vite';
-import { c as create_manifest_data, a as create_app, d as deep_merge } from './index2.js';
+import { c as create_manifest_data, a as create_app, g as generate_tsconfig, d as deep_merge } from './tsconfig.js';
 import { r as runtime, S as SVELTE_KIT_ASSETS, a as resolve_entry, $, b as SVELTE_KIT, l as load_template, c as coalesce_to_error, g as get_mime_lookup, d as copy_assets, e as get_aliases, p as print_config_conflicts } from '../cli.js';
 import fs__default from 'fs';
 import { URL } from 'url';
 import { s as sirv } from './build.js';
-import { __fetch_polyfill } from '../install-fetch.js';
+import { installFetch } from '../install-fetch.js';
 import { getRequest, setResponse } from '../node.js';
 import { sequence } from '../hooks.js';
 import './misc.js';
@@ -46,7 +46,7 @@ async function create_plugin(config, cwd) {
 		name: 'vite-plugin-svelte-kit',
 
 		configureServer(vite) {
-			__fetch_polyfill();
+			installFetch();
 
 			/** @type {import('types').SSRManifest} */
 			let manifest;
@@ -54,7 +54,7 @@ async function create_plugin(config, cwd) {
 			function update_manifest() {
 				const manifest_data = create_manifest_data({ config, cwd });
 
-				create_app({ manifest_data, output: `${SVELTE_KIT}/generated`, cwd });
+				create_app({ config, manifest_data, cwd });
 
 				manifest = {
 					appDir: config.kit.appDir,
@@ -210,7 +210,6 @@ async function create_plugin(config, cwd) {
 
 						/** @type {import('types').Hooks} */
 						const hooks = {
-							// @ts-expect-error this picks up types that belong to the tests
 							getSession: user_hooks.getSession || (() => ({})),
 							handle: amp ? sequence(amp, handle) : handle,
 							handleError:
@@ -408,6 +407,8 @@ function find_deps(node, deps) {
 async function dev({ cwd, port, host, https, config }) {
 	copy_assets(`${SVELTE_KIT}/runtime`);
 
+	generate_tsconfig(config);
+
 	const [vite_config] = deep_merge(
 		{
 			server: {