Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: escape a single quote #313

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

yusukebe
Copy link

Hi,

Firstly, thank you for the great project.

In this PR, I've implemented the escaping of a single quote (0x27) to '. This modification will prevent the potential execution of scripts, as illustrated below:

const value = "alert('bar!')";
return <div onMouseOver={value}>foo</div>;

@changeset-bot
Copy link

changeset-bot bot commented Aug 13, 2023

🦋 Changeset detected

Latest commit: 345fcc7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
preact-render-to-string Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@marvinhagemeister
Copy link
Member

FYI: This is a breaking change. A a good chunk of users from the Fresh framework depend on this working.

@yusukebe
Copy link
Author

Hi @marvinhagemeister,

I'm aware that Preact is used for Fresh, and I a fan of it. Indeed, this change introduces a breaking change that could have a significant impact. I believe it would be best to include this change when this package is released with a major version upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants