refactor: v2 release #6903
refactor: v2 release #6903
Conversation
🦋 Changeset detectedLatest commit: f640012 The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
commit: |
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
| } | ||
| errorDiv.setAttribute('q:key', '_error_'); | ||
| const journal: VNodeJournal = []; | ||
| vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child)); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
| const insertBefore = journal[idx++] as Element | Text | null; | ||
| let newChild: any; | ||
| while (idx < length && typeof (newChild = journal[idx]) !== 'number') { | ||
| insertParent.insertBefore(newChild, insertBefore); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
| c.push(`\n/** Qwik Router Entries (${entries.length}) */`); | ||
| for (let i = 0; i < entries.length; i++) { | ||
| const entry = entries[i]; | ||
| c.push(`export const ${entry.id} = () => import(${JSON.stringify(entry.filePath)});`); |
Check warning
Code scanning / CodeQL
Improper code sanitization Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 months ago
To fix the problem, we need to ensure that entry.filePath is properly sanitized before being used in the dynamically generated JavaScript code. We can achieve this by escaping potentially dangerous characters in the entry.filePath string. This can be done by implementing a function similar to escapeUnsafeChars from the example provided in the background section.
- Implement a function
escapeUnsafeCharsto escape potentially dangerous characters. - Use this function to sanitize
entry.filePathbefore including it in the generated code.
| @@ -2,2 +2,20 @@ | ||
|
|
||
| function escapeUnsafeChars(str: string): string { | ||
| const charMap: { [key: string]: string } = { | ||
| '<': '\\u003C', | ||
| '>': '\\u003E', | ||
| '/': '\\u002F', | ||
| '\\': '\\\\', | ||
| '\b': '\\b', | ||
| '\f': '\\f', | ||
| '\n': '\\n', | ||
| '\r': '\\r', | ||
| '\t': '\\t', | ||
| '\0': '\\0', | ||
| '\u2028': '\\u2028', | ||
| '\u2029': '\\u2029' | ||
| }; | ||
| return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]); | ||
| } | ||
|
|
||
| export function createEntries(ctx: BuildContext, c: string[]) { | ||
| @@ -25,3 +43,3 @@ | ||
| const entry = entries[i]; | ||
| c.push(`export const ${entry.id} = () => import(${JSON.stringify(entry.filePath)});`); | ||
| c.push(`export const ${entry.id} = () => import(${escapeUnsafeChars(JSON.stringify(entry.filePath))});`); | ||
| } |
fix migrating from V1 with module resolution "node'
fix: api docs generation regexp
refactor: remove processJsx method
…-with-null fix: replacing projection content with null or undefined
fix: prevent multiple store deserialization
this broke the dev-serve e2e tests
chore: v2 merge main
fix: using routeLoader$ result as component prop
fix: wrap WrappedSignal without unwrap flag
Version Packages (alpha) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
chore: cleanup and fix types
fix: don't wrap template literals with a function call inside in a si…
fix: finding vnodes on interaction
fix: attribute diffing
chore: refactor vSiblings
| } else if (key === 'value' && key in element) { | ||
| (element as any).value = String(value); | ||
| } else if (key === dangerouslySetInnerHTML) { | ||
| (element as any).innerHTML = value!; |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 6 days ago
To fix the problem, we need to ensure that the value assigned to innerHTML is properly sanitized to prevent XSS attacks. This can be achieved by using a library like DOMPurify to sanitize the HTML content before assigning it to innerHTML.
- Import the
DOMPurifylibrary. - Use
DOMPurify.sanitizeto sanitize thevaluebefore assigning it toinnerHTML. - Ensure that the
DOMPurifylibrary is included in the project dependencies.
| @@ -120,2 +120,3 @@ | ||
| import { isDev } from '@qwik.dev/core/build'; | ||
| import DOMPurify from 'dompurify'; | ||
| import { qwikDebugToString } from '../debug'; | ||
| @@ -915,3 +916,3 @@ | ||
| } else if (key === dangerouslySetInnerHTML) { | ||
| (element as any).innerHTML = value!; | ||
| (element as any).innerHTML = DOMPurify.sanitize(value!); | ||
| element.setAttribute(QContainerAttr, QContainerValue.HTML); |
| @@ -10,3 +10,4 @@ | ||
| "dependencies": { | ||
| "csstype": "^3.1" | ||
| "csstype": "^3.1", | ||
| "dompurify": "^3.2.4" | ||
| }, |
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.4 | None |
Co-authored-by: Varixo <admin@varixo.pl> Co-authored-by: Miško Hevery <misko@hevery.com>
- custom serialization - adds eslint rules - renames signal classes to have ...Impl suffix so they don't clash with the abstract types
… underscore if it is starting from number
fix: change client side generated ID to start with build base
This PR is for showing progress on v2, and having installable npm packages.
DO NOT MERGE
The changes are meant to be readable and maintainable, so if things are unclear please let us know.