fix: escape <textarea value={...}> attribute properly (#8434)

src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts

@@ -19,11 +19,17 @@ export function get_class_attribute_value(attribute: Attribute): ESTreeExpressio
 export function get_attribute_value(attribute: Attribute): ESTreeExpression {
 	if (attribute.chunks.length === 0) return x`""`;
 
+	/**
+	 * For value attribute of textarea, it will render as child node of `<textarea>` element.
+	 * Therefore, we need to escape as content (not attribute).
+	 */
+	const is_textarea_value = attribute.parent.name.toLowerCase() === 'textarea' && attribute.name.toLowerCase() === 'value';
+
 	return attribute.chunks
 		.map((chunk) => {
 			return chunk.type === 'Text'
 				? string_literal(chunk.data.replace(regex_double_quotes, '&quot;')) as ESTreeExpression
-				: x`@escape(${chunk.node}, true)`;
+				: x`@escape(${chunk.node}, ${is_textarea_value ? 'false' : 'true'})`;
 		})
 		.reduce((lhs, rhs) => x`${lhs} + ${rhs}`);
 }

test/runtime/samples/attribute-escape/_config.js

@@ -0,0 +1,4 @@
+export default {
+	html: '<textarea></textarea>',
+	ssrHtml: '<textarea>test\'"&gt;&lt;/textarea&gt;&lt;script&gt;alert(\'BIM\');&lt;/script&gt;</textarea>'
+};

test/runtime/samples/attribute-escape/main.svelte

@@ -0,0 +1 @@
+<textarea value={`test'"></textarea><script>alert('BIM');</script>`} />