fix(compiler-vapor): escape html for safer template output (#13919)

edison1105 · web-flow · commit 3c31b71abcee · 2025-09-24T16:56:36.000+08:00
diff --git a/packages/compiler-vapor/__tests__/transforms/transformText.spec.ts b/packages/compiler-vapor/__tests__/transforms/transformText.spec.ts
@@ -48,4 +48,10 @@ describe('compiler: text transform', () => {
     expect(ir.block.operation).toMatchObject([])
     expect(ir.block.effect.length).toBe(1)
   })
+
+  it('escapes raw static text when generating the template string', () => {
+    const { ir } = compileWithTextTransform('<code>&lt;script&gt;</code>')
+    expect(ir.template).toContain('<code>&lt;script&gt;</code>')
+    expect(ir.template).not.toContain('<code><script></code>')
+  })
 })
diff --git a/packages/compiler-vapor/src/transforms/transformComment.ts b/packages/compiler-vapor/src/transforms/transformComment.ts
@@ -6,6 +6,7 @@ import {
 } from '@vue/compiler-dom'
 import type { NodeTransform, TransformContext } from '../transform'
 import { DynamicFlag } from '../ir'
+import { escapeHtml } from '@vue/shared'
 
 export const transformComment: NodeTransform = (node, context) => {
   if (node.type !== NodeTypes.COMMENT) return
@@ -14,7 +15,7 @@ export const transformComment: NodeTransform = (node, context) => {
     context.comment.push(node)
     context.dynamic.flags |= DynamicFlag.NON_TEMPLATE
   } else {
-    context.template += `<!--${node.content}-->`
+    context.template += `<!--${escapeHtml(node.content)}-->`
   }
 }
 
diff --git a/packages/compiler-vapor/src/transforms/transformText.ts b/packages/compiler-vapor/src/transforms/transformText.ts
@@ -16,6 +16,7 @@ import {
   isConstantExpression,
   isStaticExpression,
 } from '../utils'
+import { escapeHtml } from '@vue/shared'
 
 type TextLike = TextNode | InterpolationNode
 const seen = new WeakMap<
@@ -82,7 +83,7 @@ export const transformText: NodeTransform = (node, context) => {
   } else if (node.type === NodeTypes.INTERPOLATION) {
     processInterpolation(context as TransformContext<InterpolationNode>)
   } else if (node.type === NodeTypes.TEXT) {
-    context.template += node.content
+    context.template += escapeHtml(node.content)
   }
 }
 
@@ -143,7 +144,7 @@ function processTextContainer(
   const literals = values.map(getLiteralExpressionValue)
 
   if (literals.every(l => l != null)) {
-    context.childrenTemplate = literals.map(l => String(l))
+    context.childrenTemplate = literals.map(l => escapeHtml(String(l)))
   } else {
     context.childrenTemplate = [' ']
     context.registerOperation({

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import {`
`6`	`6`	`} from '@vue/compiler-dom'`
`7`	`7`	`import type { NodeTransform, TransformContext } from '../transform'`
`8`	`8`	`import { DynamicFlag } from '../ir'`
	`9`	`+import { escapeHtml } from '@vue/shared'`
`9`	`10`
`10`	`11`	`export const transformComment: NodeTransform = (node, context) => {`
`11`	`12`	`if (node.type !== NodeTypes.COMMENT) return`
`@@ -14,7 +15,7 @@ export const transformComment: NodeTransform = (node, context) => {`
`14`	`15`	`context.comment.push(node)`
`15`	`16`	`context.dynamic.flags \|= DynamicFlag.NON_TEMPLATE`
`16`	`17`	`} else {`
`17`		- context.template += `<!--${node.content}-->`
	`18`	+ context.template += `<!--${escapeHtml(node.content)}-->`
`18`	`19`	`}`
`19`	`20`	`}`
`20`	`21`