lwc icon indicating copy to clipboard operation
lwc copied to clipboard

Published 20 hours ago verified publisher icon salesforce

fix: move style validation to style compiler

Open nolanlawson opened this issue 4 months ago • 0 comments

Details

Fixes #3454

This moves style content validation from @lwc/engine-server into @lwc/style-compiler, but only for components with API version 62+. This avoids a breaking change.

The main purpose of this validation is to avoid XSS in CSS during SSR, e.g.:

[data-foo="</style><script>alert('pwned!')</script>"] {
    color: red;
}

However, this is technically a breaking change, and the vast majority of existing components don't care about this because they don't support SSR.

However, it's a perf tax to do this validation during SSR serialization (especially for large stylesheets), so ideally we'd want to do it during compilation instead. This PR achieves that without breaking backwards compat.

Does this pull request introduce a breaking change?

  • 💔 Yes, it does introduce a breaking change.

Yes, for OSS package authors, who don't use API versioning, this is technically a breaking change. This will require a major version bump.

Does this pull request introduce an observable change?

  • 🔬 Yes, it does include an observable change.

See above

nolanlawson avatar Mar 29 '24 22:03 nolanlawson