Merge commit from fork

* fix: Use `devalue.uneval` to serialize `hydratable` keys

* oops

Author: elliott-with-the-longest-name-on-github

.changeset/tasty-vans-repeat.md

@@ -0,0 +1,5 @@
+---
+'svelte': patch
+---
+
+fix: use `devalue.uneval` to serialize `hydratable` keys

packages/svelte/src/internal/server/renderer.js

@@ -10,6 +10,7 @@ import { BLOCK_CLOSE, BLOCK_OPEN } from './hydration.js';
 import { attributes } from './index.js';
 import { get_render_context, with_render_context, init_render_context } from './render-context.js';
 import { sha256 } from './crypto.js';
+import * as devalue from 'devalue';
 
 /** @typedef {'head' | 'body'} RendererType */
 /** @typedef {{ [key in RendererType]: string }} AccumulatedContent */
@@ -669,7 +670,7 @@ export class Renderer {
 				for (const p of v.promises) await p;
 			}
 
-			entries.push(`[${JSON.stringify(k)},${v.serialized}]`);
+			entries.push(`[${devalue.uneval(k)},${v.serialized}]`);
 		}
 
 		let prelude = `const h = (window.__svelte ??= {}).h ??= new Map();`;

packages/svelte/tests/runtime-runes/samples/hydratable-script-escape/_config.js

@@ -0,0 +1,14 @@
+import { test } from '../../test';
+
+export default test({
+	skip_no_async: true,
+	mode: ['hydrate'],
+
+	props: {
+		key: '</script><script>throw new Error("pwned")</script>'
+	},
+
+	async test() {
+		// this test will fail when evaluating the `head` script if the vulnerability is present
+	}
+});

packages/svelte/tests/runtime-runes/samples/hydratable-script-escape/main.svelte

@@ -0,0 +1,9 @@
+<script>
+	import { hydratable } from "svelte";
+
+	const { key } = $props();
+
+	const value = await hydratable(key, () => Promise.resolve('safe'));
+</script>
+
+<p>{value}</p>