Prevent inline qwikloader emission inside SVG/MathML foreign content in v2 SSR#8645
Conversation
|
| if ( | ||
| elementName === 'plaintext' && | ||
| !isQwikStyle && | ||
| this.qlInclude === QwikLoaderInclude.Inline && | ||
| this.$noScriptHere$ === 0 | ||
| ) { | ||
| // <plaintext> switches the tokenizer to plain text until EOF, so any later script would be | ||
| // swallowed even after a serialized closing tag. | ||
| this.emitQwikLoaderInline(); | ||
| } |
There was a problem hiding this comment.
this is deprecated would completely break Qwik anyway, so this case can be left out
There was a problem hiding this comment.
Removed the plaintext-specific block from openElement and dropped the plaintext regression test in commit e0a85e5.
Removed handling for 'plaintext' element in Qwik SSR. It is deprecated and would break Qwik anyway
There was a problem hiding this comment.
Pull request overview
Extends the SSR v2 inline qwikloader emission guard so that it does not inject <script> while serializing inside elements whose tokenizer/parser state would corrupt the script (raw-text, escapable raw-text, legacy raw-text, template, and SVG/MathML foreign content). The previous guard only covered noscript, template, and script, leaving svg, math, style, textarea, title, iframe, noframes, xmp as cases where an inline loader could be emitted in an unsafe context.
Changes:
- Replaces the inline element-name comparison in
openElement/_closeElementwith a sharedNO_SCRIPT_HERE_ELEMENTSSet covering all unsafe parser-state and foreign-content roots. - Adds focused regression tests for foreign-content (
svg,math), all guarded raw-text elements (via$noScriptHere$refcount), and confirmsplaintext-emission ordering, refactoring shared setup intocreateTestContainer.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| packages/qwik/src/server/ssr-container.ts | Introduces NO_SCRIPT_HERE_ELEMENTS set and uses it to gate the $noScriptHere$ counter in openElement/_closeElement. |
| packages/qwik/src/server/ssr-container.spec.ts | Adds regression tests for foreign content, guarded raw-text elements, and plaintext; extracts shared createTestContainer helper. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
@qwik.dev/core
@qwik.dev/router
eslint-plugin-qwik
create-qwik
@qwik.dev/optimizer
commit: |
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
Head branch was pushed to by a user without write access
| if ( | ||
| elementName === 'plaintext' && | ||
| !isQwikStyle && | ||
| this.qlInclude === QwikLoaderInclude.Inline && | ||
| this.$noScriptHere$ === 0 | ||
| ) { | ||
| // <plaintext> switches the tokenizer to plain text until EOF, so any later script would be | ||
| // swallowed even after a serialized closing tag. | ||
| this.emitQwikLoaderInline(); | ||
| } |
There was a problem hiding this comment.
@copilot plaintext is deprecated and it would break Qwik anyway, so this if block can go
There was a problem hiding this comment.
Done in e0a85e5: the plaintext if block was removed from packages/qwik/src/server/ssr-container.ts, and the related deprecated plaintext test was removed.
Fixes SSR inline
qwikloaderemission guards so scripts are not injected while serializing unsupported parser contexts, with focus on SVG/MathML foreign content and other blocked parser-state elements.Changes made
svg,math)qwik-local/loop-style.plaintext-specific loader behavior and its related test based on review feedback.Validation