pawa-ssr 1.3.6 → 1.3.8

package/index.js

@@ -1,7 +1,7 @@
 import {getServerInstance, setServer} from 'pawajs/server.js'
 import { DOMParser,parseHTML, HTMLElement} from 'linkedom'
 import PawaComponent from './pawaComponent.js'
-import { propsValidator, evaluateExpr,extractAtExpressions, reArrangeAttri,resumeAttribute, pawaGenerateId } from './utils.js'
+import { propsValidator, evaluateExpr,extractAtExpressions, reArrangeAttri,resumeAttribute, pawaGenerateId, escapeHtml } from './utils.js'
 import {AsyncLocalStorage} from'node:async_hooks'
 import { If,For,State,Switch, Key } from'./power.js';
 import PawaElement from'./pawaElement.js'
@@ -882,7 +882,7 @@ const attributeHandler =async (el, attr) => {
   const setSingle=(...string)=>{
     string.forEach(v => singleElement.add(v))
   }
-  setSingle('img','br')
+  setSingle('img', 'br', 'hr', 'input', 'meta', 'link', 'base', 'col', 'area', 'param', 'track', 'wbr');
   const partlyPawajsDirective=new Set()
   export const addToPartlyDirective=(...partly)=>{
     partly.forEach((v)=>{
@@ -975,6 +975,8 @@ export const render =async (el, contexts = {},stream) => {
       for(const attr of attributes){
         if (directives[attr.name]) {
           await directives[attr.name](el,attr,stream)  
+        }else if(attr.value.includes('@{')){
+          await  attributeHandler(el,attr)
         }else if (attr.name.startsWith('state-')) {
           directives['state-'](el,attr)
         }
@@ -1004,9 +1006,7 @@ export const render =async (el, contexts = {},stream) => {
             }catch(error){
               console.warn(error.message,error.stack)
             }
-          }else if(attr.value.includes('@{')){
-          await  attributeHandler(el,attr)
-        }
+          }
         }
           
       }
@@ -1034,27 +1034,28 @@ export const render =async (el, contexts = {},stream) => {
       }
     }
 if(!el._running){
-  const attr=Array.from(el.attributes).map(att=>`${att.name}="${att.value}"`).join(' ')
+  const attr = Array.from(el.attributes)
+    .map(att => `${att.name}="${escapeHtml(att.value)}"`)
+    .join(' ');
+  const attrStr = attr ? ` ${attr}` : '';
   const isSingle=singleElement.has(el.tagName.toLowerCase())
-  if (isSingle) {
-    stream(`<${el.tagName.toLowerCase()} ${attr} />`)
-  }else{
-    stream(`<${el.tagName.toLowerCase()} ${attr} >`)
-  }
+  const tagName = el.tagName.toLowerCase();
+
+  stream(`<${tagName}${attrStr}${isSingle ? ' />' : '>'}`);
+
+  if (!isSingle) {
    const children = el.childNodes;
    for(const child of children){
     if (child.nodeType === 3) {
-      stream(child.nodeValue)
+      stream(escapeHtml(child.nodeValue)) // Correct: linkedom decodes entities, so we must re-encode
     }else if (child.nodeType === 8) {
       stream(`<!--${child.nodeValue}-->`)
     }else if (child.nodeType === 1){
       await render(child, el._context,stream);
     }
    };
-   if (!isSingle) {
-    stream(`</${el.tagName.toLowerCase()}>`)
-   }
-  
+    stream(`</${tagName}>`)
+  }
 }
 
     el._setError()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pawa-ssr",
-  "version": "1.3.6",
+  "version": "1.3.8",
   "type":"module",
   "description": "pawajs ssr libary",
   "main": "index.js",
@@ -25,6 +25,6 @@
   "homepage": "https://github.com/Allisboy/pawajs-ssr#readme",
   "dependencies": {
     "linkedom": "^0.18.11",
-    "pawajs": "^1.4.25"
+    "pawajs": "^1.4.28"
   }
 }

package/utils.js

@@ -246,3 +246,12 @@ export const replaceTemplateOperators = (expression) => {
     .replace(/\*\//g, '`'); // Also replace closing */ with backtick if needed
 };
 
+export const escapeHtml = (unsafe) => {
+  if (unsafe === null || unsafe === undefined) return '';
+  return String(unsafe)
+    .replace(/&/g, "&")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+};