feat(server-islands): only encode ETAGO delimiter (#11513)

Co-authored-by: Matt Kane <[email protected]> Co-authored-by: Florian Lefebvre <[email protected]>
withastro · Jan 20, 2025 · f64b73c · f64b73c
1 parent 9cc46f6
commit f64b73c
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 6 deletions.
diff --git a/.changeset/fifty-socks-end.md b/.changeset/fifty-socks-end.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Updates the server islands encoding logic to only escape the script end tag open delimiter and opening HTML comment syntax
diff --git a/packages/astro/src/runtime/server/render/server-islands.ts b/packages/astro/src/runtime/server/render/server-islands.ts
@@ -15,13 +15,19 @@ export function containsServerDirective(props: Record<string | number, any>) {
 	return 'server:component-directive' in props;
 }
 
+const SCRIPT_RE = /<\/script/giu;
+const COMMENT_RE = /<!--/gu;
+const SCRIPT_REPLACER = '<\\/script';
+const COMMENT_REPLACER = '\\u003C!--';
+
+/**
+ * Encodes the script end-tag open (ETAGO) delimiter and opening HTML comment syntax for JSON inside a `<script>` tag.
+ * @see https://mathiasbynens.be/notes/etago
+ */
 function safeJsonStringify(obj: any) {
 	return JSON.stringify(obj)
-		.replace(/\u2028/g, '\\u2028')
-		.replace(/\u2029/g, '\\u2029')
-		.replace(/</g, '\\u003c')
-		.replace(/>/g, '\\u003e')
-		.replace(/\//g, '\\u002f');
+		.replace(SCRIPT_RE, SCRIPT_REPLACER)
+		.replace(COMMENT_RE, COMMENT_REPLACER);
 }
 
 function createSearchParams(componentExport: string, encryptedProps: string, slots: string) {

diff --git a/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro b/packages/astro/test/fixtures/server-islands/ssr/src/pages/index.astro
@@ -1,12 +1,14 @@
 ---
 import Island from '../components/Island.astro';
+
+const xssMe ="</script><script>alert('xss')</script><!--"
 ---
 <html>
 <head>
   <title>Testing</title>
 </head>
 <body>
   <h1>Testing</h1>
-  <Island server:defer />
+  <Island server:defer message={xssMe} />
 </body>
 </html>
diff --git a/packages/astro/test/server-islands.test.js b/packages/astro/test/server-islands.test.js
@@ -37,6 +37,13 @@ describe('Server islands', () => {
 				assert.equal(serverIslandEl.length, 0);
 			});
 
+			it('HTML escapes scripts', async () => {
+				const res = await fixture.fetch('/');
+				assert.equal(res.status, 200);
+				const html = await res.text();
+				assert.equal(html.includes("</script><script>alert('xss')</script><!--"), false);
+			});
+
 			it('island is not indexed', async () => {
 				const res = await fixture.fetch('/_server-islands/Island', {
 					method: 'POST',