Encode closing Tag

[jburghardt]

Currently encoding in the index.js only includes

const ENCODE = [
  ['&', '&'],
  ['>', '>'],
];

If a component is being rendered SSR and includes a property with a closing script tag, the script tag in the SSrendered HTML will close the hypernova script.

<script type="application/json" data-hypernova-key="App" data-hypernova-id="....">
   <!-- {"props": ..., "title":"</script "} 

which will throw an error in the JSON.parse method of the payload.

is there a reason closing tags are not encoded here ? Following changes would suffice:

var ENCODE = [
['&', '&'],
['>', '>'],
['<', '&lt;']
];

[ljharb]

</script shouldn't close anything? you'd need </script>, and the > is escaped.

[jburghardt]

<script with a blank after the t does close the hypernova script

[ljharb]

It seems like indeed </ specifically should be escaped.

[jburghardt]

This is what could happen

<html>
   <head></head>
   <body>
   
   <script type="application/json" id="hypernova-app"><!-- {"props": {"message": "Evil user comment containing </script ", "foo": "bar"}} --></script>
    
   <script type="text/javascript">
  document.addEventListener('DOMContentLoaded', function () {
   window.alert(document.getElementById('hypernova-app').innerHTML);
   });
   </script>
  
 </body>
</html>

[jburghardt]

It seems like indeed </ specifically should be escaped.

escaping just < should be enough.

[ljharb]

That will cause a lot more escaping, of all html tags, unnecessarily. We should only escape the pair.

[jburghardt]

Yep you are right, i updated the pull request.

[csharplus]

@duoertai could you please take a look at this issue?