Skip to content

fix(compiler-vapor): escape html for safer template output #13919

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 24, 2025
Merged

fix(compiler-vapor): escape html for safer template output #13919

merged 2 commits into from
Sep 24, 2025

Conversation

edison1105
Copy link
Member

@edison1105 edison1105 commented Sep 23, 2025
edited
Loading

see Playground

core/packages/compiler-dom/src/transforms/stringifyStatic.ts

Lines 299 to 315 in 5edb7ba

switch (node.type) {
case NodeTypes.ELEMENT:
return stringifyElement(node, context)
case NodeTypes.TEXT:
return escapeHtml(node.content)
case NodeTypes.COMMENT:
return `<!--${escapeHtml(node.content)}-->`
case NodeTypes.INTERPOLATION:
return escapeHtml(toDisplayString(evaluateConstant(node.content)))
case NodeTypes.COMPOUND_EXPRESSION:
return escapeHtml(evaluateConstant(node))
case NodeTypes.TEXT_CALL:
return stringifyNode(node.content, context)
default:
// static trees will not contain if/for nodes
return ''
}

@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Sep 23, 2025

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch edison/fix/escapeHtmlForTextNode

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions GitHub Actions
Copy link

Size Report

Bundles

File Size Gzip Brotli
compiler-dom.global.prod.js 84 kB 29.8 kB 26.3 kB
runtime-dom.global.prod.js 104 kB 39.1 kB 35.3 kB
vue.global.prod.js 162 kB 59.3 kB 52.9 kB

Usages

Name Size Gzip Brotli
createApp (CAPI only) 47.2 kB 18.4 kB 16.9 kB
createApp 56 kB 21.6 kB 19.7 kB
createApp + vaporInteropPlugin 68.6 kB 25.9 kB 23.6 kB
createVaporApp 20.9 kB 8.26 kB 7.57 kB
createSSRApp 60.3 kB 23.3 kB 21.3 kB
defineCustomElement 61 kB 23.1 kB 21.1 kB
overall 70.5 kB 26.8 kB 24.4 kB

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 23, 2025
edited
Loading

Open in StackBlitz

@vue/compiler-core

npm i https://pkg.pr.new/@vue/compiler-core@13919

@vue/compiler-dom

npm i https://pkg.pr.new/@vue/compiler-dom@13919

@vue/compiler-sfc

npm i https://pkg.pr.new/@vue/compiler-sfc@13919

@vue/compiler-ssr

npm i https://pkg.pr.new/@vue/compiler-ssr@13919

@vue/compiler-vapor

npm i https://pkg.pr.new/@vue/compiler-vapor@13919

@vue/reactivity

npm i https://pkg.pr.new/@vue/reactivity@13919

@vue/runtime-core

npm i https://pkg.pr.new/@vue/runtime-core@13919

@vue/runtime-dom

npm i https://pkg.pr.new/@vue/runtime-dom@13919

@vue/runtime-vapor

npm i https://pkg.pr.new/@vue/runtime-vapor@13919

@vue/server-renderer

npm i https://pkg.pr.new/@vue/server-renderer@13919

@vue/shared

npm i https://pkg.pr.new/@vue/shared@13919

vue

npm i https://pkg.pr.new/vue@13919

@vue/compat

npm i https://pkg.pr.new/@vue/compat@13919

commit: 0d8bac1

@edison1105 edison1105 force-pushed the edison/fix/escapeHtmlForTextNode branch from a3edbab to 5edb7ba Compare September 23, 2025 14:22
@edison1105 edison1105 changed the title fix(compiler-vapor): escape html for text node in template fix(compiler-vapor): escape html for safer template output Sep 23, 2025
@edison1105 edison1105 added version: minor scope: vapor related to vapor mode labels Sep 23, 2025
@edison1105 edison1105 moved this to Vapor in Next Minor Sep 23, 2025
@edison1105 edison1105 moved this from Vapor to Ready To Merge in Next Minor Sep 24, 2025
@edison1105 edison1105 merged commit 3c31b71 into minor Sep 24, 2025
16 checks passed
@edison1105 edison1105 deleted the edison/fix/escapeHtmlForTextNode branch September 24, 2025 08:56
@github-project-automation github-project-automation bot moved this from Ready To Merge to Done in Next Minor Sep 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
scope: vapor related to vapor mode version: minor
Projects
Next Minor
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@edison1105