astro 7.0.0-beta.3 → 7.0.0-beta.5

package/dist/core/i18n/handler.js

@@ -3,7 +3,6 @@ import { computeFallbackRoute } from "../../i18n/fallback.js";
 import { I18nRouter } from "../../i18n/router.js";
 import { PipelineFeatures } from "../base-pipeline.js";
 import { shouldAppendForwardSlash } from "../build/util.js";
-import { REROUTE_DIRECTIVE_HEADER, ROUTE_TYPE_HEADER } from "../constants.js";
 class I18n {
   #i18n;
   #base;
@@ -36,25 +35,20 @@ class I18n {
   async finalize(state, response) {
     state.pipeline.usedFeatures |= PipelineFeatures.i18n;
     const i18n = this.#i18n;
-    const typeHeader = response.headers.get(ROUTE_TYPE_HEADER);
-    if (typeHeader) {
-      response.headers.delete(ROUTE_TYPE_HEADER);
-    }
-    const isReroute = response.headers.get(REROUTE_DIRECTIVE_HEADER);
-    if (isReroute === "no" && typeof i18n.fallback === "undefined") {
+    if (state.skipErrorReroute && typeof i18n.fallback === "undefined") {
       return response;
     }
-    if (typeHeader !== "page" && typeHeader !== "fallback") {
+    if (state.responseRouteType !== "page" && state.responseRouteType !== "fallback") {
       return response;
     }
-    const url = new URL(state.request.url);
+    const url = state.url;
     const currentLocale = state.computeCurrentLocale();
     const isPrerendered = state.routeData.prerender;
     const routerContext = {
       currentLocale,
       currentDomain: url.hostname,
-      routeType: typeHeader,
-      isReroute: isReroute === "yes"
+      routeType: state.responseRouteType,
+      isReroute: false
     };
     const routeDecision = this.#router.match(url.pathname, routerContext);
     switch (routeDecision.type) {
@@ -74,7 +68,7 @@ class I18n {
             status: 404,
             headers: response.headers
           });
-          prerenderedRes.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
+          state.skipErrorReroute = true;
           if (routeDecision.location) {
             prerenderedRes.headers.set("Location", routeDecision.location);
           }
@@ -90,7 +84,7 @@ class I18n {
         break;
     }
     if (i18n.fallback && i18n.fallbackType) {
-      const effectiveStatus = typeHeader === "fallback" ? 404 : response.status;
+      const effectiveStatus = state.responseRouteType === "fallback" ? 404 : response.status;
       const fallbackDecision = computeFallbackRoute({
         pathname: url.pathname,
         responseStatus: effectiveStatus,

package/dist/core/messages/runtime.js

@@ -269,7 +269,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"7.0.0-beta.3"}`
+        `v${"7.0.0-beta.5"}`
       )} ${headline}`
     );
   }

package/dist/core/middleware/astro-middleware.d.ts

@@ -1,5 +1,6 @@
 import type { FetchState } from '../fetch/fetch-state.js';
 import type { APIContext } from '../../types/public/context.js';
+import type { BaseApp } from '../app/base.js';
 import { type Pipeline } from '../base-pipeline.js';
 /**
  * Callback invoked at the bottom of the middleware chain to dispatch the
@@ -24,4 +25,22 @@ export declare class AstroMiddleware {
     #private;
     constructor(pipeline: Pipeline);
     handle(state: FetchState, renderRouteCallback: RenderRouteCallback): Promise<Response>;
+    /**
+     * Like `handle`, but mirrors the app-level error handling that
+     * `AstroHandler` provides on the standard path, the same way
+     * `PagesHandler.handleWithErrorFallback` does for `pages()`. When no
+     * route matched it returns a 404 marked with `X-Astro-Error` for the
+     * app's post-check; when Astro's own middleware chain throws it logs the
+     * error and renders the custom `500.astro`.
+     *
+     * Errors surfaced through `renderRouteCallback` (the host framework's
+     * `next`, e.g. host middleware mounted below `middleware()`) are
+     * re-thrown instead, so the host's own error handling still runs rather
+     * than being swallowed into Astro's 500 page. A sentinel tells the two
+     * apart.
+     *
+     * Used by the composable `astro/fetch` `middleware()` entry point, where
+     * there is no surrounding `AstroHandler` to supply this fallback.
+     */
+    handleWithErrorFallback(app: BaseApp<Pipeline>, state: FetchState, renderRouteCallback: RenderRouteCallback): Promise<Response>;
 }

package/dist/core/middleware/astro-middleware.js

@@ -1,4 +1,5 @@
 import { PipelineFeatures } from "../base-pipeline.js";
+import { ASTRO_ERROR_HEADER } from "../constants.js";
 import { attachCookiesToResponse } from "../cookies/index.js";
 import { applyRewriteToState } from "../rewrites/handler.js";
 import { callMiddleware } from "./callMiddleware.js";
@@ -41,6 +42,48 @@ class AstroMiddleware {
     state.response = response;
     return response;
   }
+  /**
+   * Like `handle`, but mirrors the app-level error handling that
+   * `AstroHandler` provides on the standard path, the same way
+   * `PagesHandler.handleWithErrorFallback` does for `pages()`. When no
+   * route matched it returns a 404 marked with `X-Astro-Error` for the
+   * app's post-check; when Astro's own middleware chain throws it logs the
+   * error and renders the custom `500.astro`.
+   *
+   * Errors surfaced through `renderRouteCallback` (the host framework's
+   * `next`, e.g. host middleware mounted below `middleware()`) are
+   * re-thrown instead, so the host's own error handling still runs rather
+   * than being swallowed into Astro's 500 page. A sentinel tells the two
+   * apart.
+   *
+   * Used by the composable `astro/fetch` `middleware()` entry point, where
+   * there is no surrounding `AstroHandler` to supply this fallback.
+   */
+  async handleWithErrorFallback(app, state, renderRouteCallback) {
+    if (!state.routeData) {
+      return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
+    }
+    let nextError;
+    try {
+      return await this.handle(state, async (s, ctx) => {
+        try {
+          return await renderRouteCallback(s, ctx);
+        } catch (err) {
+          nextError = err;
+          throw err;
+        }
+      });
+    } catch (err) {
+      if (err === nextError) throw err;
+      app.logger.error(null, err.stack || err.message || String(err));
+      return app.renderError(state.request, {
+        ...state.renderOptions,
+        status: 500,
+        error: err,
+        pathname: state.pathname
+      });
+    }
+  }
   #finalize(state, response) {
     attachCookiesToResponse(response, state.cookies);
     return response;

package/dist/core/middleware/noop-middleware.js

@@ -1,7 +1,5 @@
-import { NOOP_MIDDLEWARE_HEADER } from "../constants.js";
 const NOOP_MIDDLEWARE_FN = async (_ctx, next) => {
   const response = await next();
-  response.headers.set(NOOP_MIDDLEWARE_HEADER, "true");
   return response;
 };
 export {

package/dist/core/middleware/vite-plugin.d.ts

@@ -3,6 +3,7 @@ import type { AstroSettings } from '../../types/astro.js';
 import type { BuildInternals } from '../build/internal.js';
 import type { StaticBuildOptions } from '../build/types.js';
 export declare const MIDDLEWARE_MODULE_ID = "virtual:astro:middleware";
+export declare function isMiddlewarePath(relativePath: string): boolean;
 export declare function vitePluginMiddleware({ settings }: {
     settings: AstroSettings;
 }): VitePlugin;

package/dist/core/middleware/vite-plugin.js

@@ -11,6 +11,9 @@ import { normalizePath } from "../viteUtils.js";
 const MIDDLEWARE_MODULE_ID = "virtual:astro:middleware";
 const MIDDLEWARE_RESOLVED_MODULE_ID = "\0" + MIDDLEWARE_MODULE_ID;
 const NOOP_MIDDLEWARE = "\0noop-middleware";
+function isMiddlewarePath(relativePath) {
+  return relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}.`) || relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}/`);
+}
 function vitePluginMiddleware({ settings }) {
   let resolvedMiddlewareId = void 0;
   const hasIntegrationMiddleware = settings.middlewares.pre.length > 0 || settings.middlewares.post.length > 0;
@@ -26,7 +29,7 @@ function vitePluginMiddleware({ settings }) {
         const normalizedPath = viteNormalizePath(path);
         if (!normalizedPath.startsWith(normalizedSrcDir)) return;
         const relativePath = normalizedPath.slice(normalizedSrcDir.length);
-        if (!relativePath.startsWith(`${MIDDLEWARE_PATH_SEGMENT_NAME}.`)) return;
+        if (!isMiddlewarePath(relativePath)) return;
         for (const name of [
           ASTRO_VITE_ENVIRONMENT_NAMES.ssr,
           ASTRO_VITE_ENVIRONMENT_NAMES.astro
@@ -135,6 +138,7 @@ function vitePluginMiddlewareBuild(opts, internals) {
 }
 export {
   MIDDLEWARE_MODULE_ID,
+  isMiddlewarePath,
   vitePluginMiddleware,
   vitePluginMiddlewareBuild
 };

package/dist/core/pages/handler.d.ts

@@ -1,4 +1,5 @@
 import type { APIContext } from '../../types/public/context.js';
+import type { BaseApp } from '../app/base.js';
 import type { FetchState } from '../fetch/fetch-state.js';
 import type { Pipeline } from '../base-pipeline.js';
 /**
@@ -17,4 +18,16 @@ export declare class PagesHandler {
     #private;
     constructor(pipeline: Pipeline);
     handle(state: FetchState, ctx: APIContext): Promise<Response>;
+    /**
+     * Like `handle`, but mirrors the app-level error handling that
+     * `AstroHandler` provides on the standard path: unmatched routes
+     * return a 404 marked with `X-Astro-Error` for the app's post-check
+     * to render the 404 error page, and render-time errors are logged
+     * and render the 500 error page instead of propagating to the host
+     * framework.
+     *
+     * Used by the composable `astro/fetch` `pages()` entry point, where
+     * there is no surrounding `AstroHandler` to supply this fallback.
+     */
+    handleWithErrorFallback(app: BaseApp<Pipeline>, state: FetchState): Promise<Response>;
 }

package/dist/core/pages/handler.js

@@ -1,12 +1,6 @@
 import { renderEndpoint } from "../../runtime/server/endpoint.js";
 import { renderPage } from "../../runtime/server/index.js";
-import {
-  ASTRO_ERROR_HEADER,
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY,
-  REWRITE_DIRECTIVE_HEADER_VALUE,
-  ROUTE_TYPE_HEADER
-} from "../constants.js";
+import { ASTRO_ERROR_HEADER } from "../constants.js";
 import { getCookiesFromResponse } from "../cookies/response.js";
 const EMPTY_SLOTS = Object.freeze({});
 class PagesHandler {
@@ -17,6 +11,7 @@ class PagesHandler {
   async handle(state, ctx) {
     const pipeline = this.#pipeline;
     const { logger, streaming } = pipeline;
+    state.resetResponseMetadata();
     let response;
     const componentInstance = await state.loadComponentInstance();
     switch (state.routeData.type) {
@@ -25,7 +20,8 @@ class PagesHandler {
           componentInstance,
           ctx,
           state.routeData.prerender,
-          logger
+          logger,
+          state
         );
         break;
       }
@@ -46,12 +42,9 @@ class PagesHandler {
           result.cancelled = true;
           throw e;
         }
-        response.headers.set(ROUTE_TYPE_HEADER, "page");
+        state.responseRouteType = "page";
         if (state.routeData.route === "/404" || state.routeData.route === "/500") {
-          response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-        }
-        if (state.isRewriting) {
-          response.headers.set(REWRITE_DIRECTIVE_HEADER_KEY, REWRITE_DIRECTIVE_HEADER_VALUE);
+          state.skipErrorReroute = true;
         }
         break;
       }
@@ -59,7 +52,8 @@ class PagesHandler {
         return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
       }
       case "fallback": {
-        return new Response(null, { status: 500, headers: { [ROUTE_TYPE_HEADER]: "fallback" } });
+        state.responseRouteType = "fallback";
+        return new Response(null, { status: 500 });
       }
     }
     const responseCookies = getCookiesFromResponse(response);
@@ -69,6 +63,33 @@ class PagesHandler {
     state.response = response;
     return response;
   }
+  /**
+   * Like `handle`, but mirrors the app-level error handling that
+   * `AstroHandler` provides on the standard path: unmatched routes
+   * return a 404 marked with `X-Astro-Error` for the app's post-check
+   * to render the 404 error page, and render-time errors are logged
+   * and render the 500 error page instead of propagating to the host
+   * framework.
+   *
+   * Used by the composable `astro/fetch` `pages()` entry point, where
+   * there is no surrounding `AstroHandler` to supply this fallback.
+   */
+  async handleWithErrorFallback(app, state) {
+    if (!state.routeData) {
+      return new Response(null, { status: 404, headers: { [ASTRO_ERROR_HEADER]: "true" } });
+    }
+    try {
+      return await this.handle(state, state.getAPIContext());
+    } catch (err) {
+      app.logger.error(null, err.stack || err.message || String(err));
+      return app.renderError(state.request, {
+        ...state.renderOptions,
+        status: 500,
+        error: err,
+        pathname: state.pathname
+      });
+    }
+  }
 }
 export {
   PagesHandler

package/dist/core/routing/handler.js

@@ -1,9 +1,5 @@
 import { ActionHandler } from "../../actions/handler.js";
-import {
-  REROUTABLE_STATUS_CODES,
-  REROUTE_DIRECTIVE_HEADER,
-  REWRITE_DIRECTIVE_HEADER_KEY
-} from "../constants.js";
+import { REROUTABLE_STATUS_CODES } from "../constants.js";
 import { TrailingSlashHandler } from "./trailing-slash-handler.js";
 import { CacheHandler, provideCache } from "../cache/handler.js";
 import { I18n } from "../i18n/handler.js";
@@ -65,6 +61,9 @@ class AstroHandler {
   }
   async handle(state) {
     state.pipeline.usedFeatures |= ALL_PIPELINE_FEATURES;
+    if (state.invalidEncoding) {
+      return new Response(null, { status: 400, statusText: "Bad Request" });
+    }
     const trailingSlashRedirect = this.#trailingSlashHandler.handle(state);
     if (trailingSlashRedirect) {
       return trailingSlashRedirect;
@@ -128,12 +127,11 @@ class AstroHandler {
         };
         response = await this.#cacheHandler.handle(state, runPipeline);
       }
-      const isRewrite = response.headers.has(REWRITE_DIRECTIVE_HEADER_KEY);
       this.#app.logThisRequest({
         pathname,
         method: request.method,
         statusCode: response.status,
-        isRewrite,
+        isRewrite: state.isRewriting,
         timeStart: state.timeStart
       });
     } catch (err) {
@@ -150,7 +148,7 @@ class AstroHandler {
     }
     if (REROUTABLE_STATUS_CODES.includes(response.status) && // If the body isn't null, that means the user sets the 404 status
     // but uses the current route to handle the 404
-    response.body === null && response.headers.get(REROUTE_DIRECTIVE_HEADER) !== "no") {
+    response.body === null && !state.skipErrorReroute) {
       return this.#app.renderError(request, {
         ...state.renderOptions,
         response,

package/dist/core/routing/rewrite.js

@@ -10,6 +10,7 @@ import {
   trimSlashes
 } from "../path.js";
 import { createRequest } from "../request.js";
+import { validateAndDecodePathname } from "../util/pathname.js";
 import { DEFAULT_404_ROUTE } from "./internal/astro-designed-error-pages.js";
 import { isRoute404, isRoute500 } from "./internal/route-errors.js";
 function findRouteToRewrite({
@@ -36,7 +37,7 @@ function findRouteToRewrite({
     buildFormat
   );
   newUrl.pathname = resolvedUrlPathname;
-  const decodedPathname = decodeURI(pathname);
+  const decodedPathname = validateAndDecodePathname(pathname);
   if (isRoute404(decodedPathname)) {
     const errorRoute = routes.find((route) => route.route === "/404");
     if (errorRoute) {

package/dist/core/util/normalized-url.js

@@ -1,15 +1,12 @@
 import { collapseDuplicateSlashes } from "@astrojs/internal-helpers/path";
-import { MultiLevelEncodingError, validateAndDecodePathname } from "./pathname.js";
+import { validateAndDecodePathname } from "./pathname.js";
 function createNormalizedUrl(requestUrl) {
   return normalizeUrl(new URL(requestUrl));
 }
 function normalizeUrl(url) {
   try {
     url.pathname = validateAndDecodePathname(url.pathname);
-  } catch (e) {
-    if (e instanceof MultiLevelEncodingError) {
-      throw e;
-    }
+  } catch {
     try {
       url.pathname = decodeURI(url.pathname);
     } catch {

package/dist/core/util/pathname.d.ts

@@ -1,19 +1,26 @@
 /**
- * Error thrown when multi-level URL encoding is detected in a pathname.
- * This is a distinct error type so callers can handle it specifically
- * (e.g., returning a 400 response) rather than falling back to partial decoding.
+ * Thrown when a URL path is encoded so many times that we give up decoding it
+ * (see {@link validateAndDecodePathname}). When this happens we reject the
+ * request with a `400` instead of guessing the path. If we let a half-decoded
+ * path through, your middleware might check one path while Astro routes to a
+ * different one.
  */
 export declare class MultiLevelEncodingError extends Error {
     constructor();
 }
 /**
- * Validates that a pathname is not multi-level encoded.
- * Detects if a pathname contains encoding that was encoded again (e.g., %2561dmin where %25 decodes to %).
- * This prevents double/triple encoding bypasses of security checks.
+ * Decodes a URL path over and over until it stops changing, so a path that was
+ * encoded several times ends up as a single, final path. This stops someone
+ * from sneaking a path like `/admin` past middleware by encoding it multiple
+ * times — middleware always sees the real, decoded path.
  *
- * @param pathname - The pathname to validate
- * @returns The decoded pathname if valid
- * @throws MultiLevelEncodingError if multi-level encoding is detected
- * @throws Error if the pathname contains invalid URL encoding
+ * @param pathname - The path to decode
+ * @returns The final, fully decoded path
+ * @throws Error if the path has broken encoding that can't be decoded at all
+ *   (for example a lone `%` that isn't followed by two hex digits)
+ * @throws MultiLevelEncodingError if the path is still changing after
+ *   {@link MAX_DECODE_ITERATIONS} tries (it was encoded too many times).
+ *   Handing back a half-decoded path here would bring back the security hole
+ *   this function exists to close.
  */
 export declare function validateAndDecodePathname(pathname: string): string;

package/dist/core/util/pathname.js

@@ -1,22 +1,29 @@
 class MultiLevelEncodingError extends Error {
   constructor() {
-    super("Multi-level URL encoding is not allowed");
+    super("URL encoding depth exceeded the maximum number of decode iterations");
     this.name = "MultiLevelEncodingError";
   }
 }
-const ENCODING_REGEX = /%25[0-9a-fA-F]{2}/;
+const MAX_DECODE_ITERATIONS = 10;
 function validateAndDecodePathname(pathname) {
-  if (ENCODING_REGEX.test(pathname)) {
-    throw new MultiLevelEncodingError();
-  }
   let decoded;
   try {
     decoded = decodeURI(pathname);
   } catch (_e) {
     throw new Error("Invalid URL encoding");
   }
-  if (ENCODING_REGEX.test(decoded)) {
-    throw new MultiLevelEncodingError();
+  let iterations = 0;
+  while (decoded !== pathname) {
+    if (iterations >= MAX_DECODE_ITERATIONS) {
+      throw new MultiLevelEncodingError();
+    }
+    pathname = decoded;
+    try {
+      decoded = decodeURI(pathname);
+    } catch {
+      break;
+    }
+    iterations++;
   }
   return decoded;
 }

package/dist/i18n/index.js

@@ -1,6 +1,10 @@
-import { appendForwardSlash, joinPaths } from "@astrojs/internal-helpers/path";
+import {
+  appendForwardSlash,
+  joinPaths,
+  removeTrailingForwardSlash
+} from "@astrojs/internal-helpers/path";
 import { shouldAppendForwardSlash } from "../core/build/util.js";
-import { REROUTE_DIRECTIVE_HEADER } from "../core/constants.js";
+import { getFetchStateFromAPIContext } from "../core/fetch/fetch-state.js";
 import { i18nNoLocaleFoundInPath, MissingLocale } from "../core/errors/errors-data.js";
 import { AstroError } from "../core/errors/index.js";
 import { createI18nMiddleware } from "./middleware.js";
@@ -55,7 +59,7 @@ function getLocaleRelativeUrl({
   if (shouldAppendForwardSlash(trailingSlash, format)) {
     relativePath = appendForwardSlash(joinPaths(...pathsToJoin));
   } else {
-    relativePath = joinPaths(...pathsToJoin);
+    relativePath = removeTrailingForwardSlash(joinPaths(...pathsToJoin));
   }
   if (relativePath === "") {
     return "/";
@@ -196,24 +200,22 @@ function redirectToDefaultLocale({
 }
 function notFound({ base, locales, fallback }) {
   return function(context, response) {
-    if (response?.headers.get(REROUTE_DIRECTIVE_HEADER) === "no" && typeof fallback === "undefined") {
+    const fetchState = getFetchStateFromAPIContext(context);
+    if (fetchState.skipErrorReroute && typeof fallback === "undefined") {
       return response;
     }
     const url = context.url;
     const isRoot = url.pathname === base + "/" || url.pathname === base;
     if (!(isRoot || pathHasLocale(url.pathname, locales))) {
+      fetchState.skipErrorReroute = true;
       if (response) {
-        response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
         return new Response(response.body, {
           status: 404,
           headers: response.headers
         });
       } else {
         return new Response(null, {
-          status: 404,
-          headers: {
-            [REROUTE_DIRECTIVE_HEADER]: "no"
-          }
+          status: 404
         });
       }
     }

package/dist/runtime/server/endpoint.d.ts

@@ -1,7 +1,8 @@
+import type { FetchState } from '../../core/fetch/fetch-state.js';
 import type { AstroLogger } from '../../core/logger/core.js';
 import type { APIRoute } from '../../types/public/common.js';
 import type { APIContext } from '../../types/public/context.js';
 /** Renders an endpoint request to completion, returning the body. */
 export declare function renderEndpoint(mod: {
     [method: string]: APIRoute;
-}, context: APIContext, isPrerendered: boolean, logger: AstroLogger): Promise<Response>;
+}, context: APIContext, isPrerendered: boolean, logger: AstroLogger, state?: FetchState): Promise<Response>;

package/dist/runtime/server/endpoint.js

@@ -1,8 +1,8 @@
 import colors from "piccolore";
-import { REROUTABLE_STATUS_CODES, REROUTE_DIRECTIVE_HEADER } from "../../core/constants.js";
+import { REROUTABLE_STATUS_CODES } from "../../core/constants.js";
 import { AstroError } from "../../core/errors/errors.js";
 import { EndpointDidNotReturnAResponse } from "../../core/errors/errors-data.js";
-async function renderEndpoint(mod, context, isPrerendered, logger) {
+async function renderEndpoint(mod, context, isPrerendered, logger, state) {
   const { request, url } = context;
   const method = request.method.toUpperCase();
   let handler = mod[method] ?? mod["ALL"];
@@ -38,17 +38,8 @@ Found handlers: ${Object.keys(mod).map((exp) => JSON.stringify(exp)).join(", ")}
   if (!response || response instanceof Response === false) {
     throw new AstroError(EndpointDidNotReturnAResponse);
   }
-  if (REROUTABLE_STATUS_CODES.includes(response.status)) {
-    try {
-      response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-    } catch (err) {
-      if (err.message?.includes("immutable")) {
-        response = new Response(response.body, response);
-        response.headers.set(REROUTE_DIRECTIVE_HEADER, "no");
-      } else {
-        throw err;
-      }
-    }
+  if (state && REROUTABLE_STATUS_CODES.includes(response.status)) {
+    state.skipErrorReroute = true;
   }
   if (method === "HEAD") {
     return new Response(null, response);

package/dist/runtime/server/jsx.js

@@ -87,7 +87,7 @@ Did you forget to import the component or is it possible there is a typo?`);
           _slots.default.push(child);
           return;
         }
-        if ("slot" in child.props) {
+        if ("slot" in child.props && !isCustomElement) {
           _slots[child.props.slot] = [..._slots[child.props.slot] ?? [], child];
           delete child.props.slot;
           return;
@@ -116,6 +116,7 @@ Did you forget to import the component or is it possible there is a typo?`);
       const _slots = {
         default: []
       };
+      const isCustomElement = typeof vnode.type === "string" && vnode.type.includes("-");
       extractSlots2(children);
       for (const [key, value] of Object.entries(props)) {
         if (value?.["$$slot"]) {

package/dist/runtime/server/render/head.js

@@ -51,7 +51,8 @@ function renderAllHeadContent(result) {
   const links = deduplicateElements(Array.from(result.links)).map(
     (link) => renderElement("link", link, false)
   );
-  content += styles.join("\n") + links.join("\n") + scripts.join("\n");
+  const sep = result.compressHTML === true || result.compressHTML === "jsx" ? "" : "\n";
+  content += styles.join(sep) + links.join(sep) + scripts.join(sep);
   content += result._metadata.extraHead.join("");
   return markHTMLString(content);
 }

package/dist/runtime/server/render/util.js

@@ -6,6 +6,7 @@ const htmlBooleanAttributes = /^(?:allowfullscreen|async|autofocus|autoplay|chec
 const AMPERSAND_REGEX = /&/g;
 const DOUBLE_QUOTE_REGEX = /"/g;
 const STATIC_DIRECTIVES = /* @__PURE__ */ new Set(["set:html", "set:text"]);
+const INVALID_ATTR_NAME_CHAR = /[\s"'>/=]/;
 const toIdent = (k) => k.trim().replace(/(?!^)\b\w|\s+|\W+/g, (match, index) => {
   if (/\W/.test(match)) return "";
   return index === 0 ? match : match.toUpperCase();
@@ -43,6 +44,9 @@ function addAttribute(value, key, shouldEscape = true, tagName = "") {
   if (value == null) {
     return "";
   }
+  if (INVALID_ATTR_NAME_CHAR.test(key)) {
+    return "";
+  }
   if (STATIC_DIRECTIVES.has(key)) {
     console.warn(`[astro] The "${key}" directive cannot be applied dynamically at runtime. It will not be rendered as an attribute.