fix(core): skip property-attribute emission for native elements + decode HTML entities on server walker read

Two related fixes to the property-binding SSR path.

1. Native-element guard. Property bindings on tags without a hyphen
   (`<input .value=${v}>`) used to emit a `data-webjs-prop-value`
   attribute, but nothing consumes it: the SSR walker only runs for
   custom elements, and on the browser side, page-template re-execution
   does not happen (page functions are server-only). The attribute was
   dead weight. Skip emission for non-custom-element tags; the property
   hole drops the same way it did before this branch.

2. HTML-entity decode in consumePropAttrs. parseAttrs returns the
   literal characters between the quote marks; `escapeAttr` had
   converted `"` to `&quot;` on the way out, so the walker
   was passing the still-escaped JSON to `parse()` and failing
   silently. Added an `unescapeAttr` helper that reverses the
   server-side escape (order matters: `&lt;`, then `&quot;`,
   then `&amp;`). The browser handles this automatically, so
   client-side hydration was unaffected.

Updated the `drops properties on server` snapshot test to its new
behavior name and assertion: native-element property bindings stay
dropped.

Author: vivek7405

packages/core/src/render-server.js

@@ -202,12 +202,22 @@ async function renderTemplate(tr, ctx) {
           state = 'in-tag';
           attrName = '';
         } else if (prefix === '.') {
-          // Property binding. Serialize via the wire format and emit
-          // as a `data-webjs-prop-<kebab-name>` side-channel attribute.
-          // The SSR walker reads it before calling instance.render();
-          // the client renderer applies + strips it on hydration so
-          // the settled DOM is clean.
+          // Property binding. Only meaningful on custom elements (which
+          // have a hyphen in the tag name and a WebComponent subclass
+          // that knows how to apply + strip data-webjs-prop-* on
+          // hydration). For native elements (`<input .value=${v}>`)
+          // the attribute would be dead weight (nothing consumes it),
+          // so we drop it the same way the old behaviour did. The
+          // client renderer still applies the property when the
+          // template runs in the browser, which is the only place a
+          // page-level `.prop` on a native element could have set the
+          // property to begin with.
           out = out.slice(0, attrStart);
+          if (!currentTag.includes('-')) {
+            state = 'in-tag';
+            attrName = '';
+            continue;
+          }
           try {
             const encoded = await stringify(val);
             out += `data-webjs-prop-${kebabCase(name)}="${escapeAttr(encoded)}"`;
@@ -686,6 +696,22 @@ function kebabCase(s) {
   return s.replace(/[A-Z]/g, (c) => `-${c.toLowerCase()}`);
 }
 
+/**
+ * Reverse `escapeAttr` on a server-side attribute value. Needed
+ * because `parseAttrs` returns the literal characters between the
+ * quote marks; HTML entities are not decoded by the regex. The
+ * browser handles this automatically, so client-side reads via
+ * `getAttribute()` do not need the same step.
+ *
+ * @param {string} s
+ */
+function unescapeAttr(s) {
+  return s
+    .replace(/&lt;/g, '<')
+    .replace(/&quot;/g, '"')
+    .replace(/&amp;/g, '&');
+}
+
 /**
  * Decode `data-webjs-prop-<kebab>` attributes from a parsed attribute
  * map, returning a map of camelCase property name to decoded value.
@@ -702,7 +728,7 @@ function consumePropAttrs(attrs) {
     if (!key.startsWith('data-webjs-prop-')) continue;
     const propName = camelCase(key.slice('data-webjs-prop-'.length));
     try {
-      props[propName] = parse(attrs[key]);
+      props[propName] = parse(unescapeAttr(attrs[key]));
     } catch {
       // Malformed payload. Skip silently so the rest of the component
       // can still render. The client-side hydration will also try and

test/render-server.test.js

@@ -26,12 +26,14 @@ test('drops event handlers on server', async () => {
   assert.equal(await renderToString(html`<button @click=${() => {}}>go</button>`), '<button >go</button>');
 });
 
-test('property bindings serialize into data-webjs-prop-* attributes on server', async () => {
-  // Previously these holes were dropped (lossy). Now they survive SSR
-  // via a side-channel attribute that the SSR walker reads for custom
-  // elements and the client renderer applies + strips on hydration.
-  const out = await renderToString(html`<input .value=${'typed'} />`);
-  assert.match(out, /data-webjs-prop-value="[^"]*typed[^"]*"/);
+test('property bindings on NATIVE elements drop on server (no consumer for them)', async () => {
+  // Native elements (`<input>`) have no SSR walker to construct an
+  // instance from. Emitting `data-webjs-prop-*` would be dead weight
+  // because nothing consumes it on the server or in the browser
+  // (the property is set by the client renderer when the same
+  // template runs in the browser, not from this attribute). So the
+  // hole still drops at SSR.
+  assert.equal(await renderToString(html`<input .value=${'typed'} />`), '<input  />');
 });
 
 test('boolean attribute renders only when truthy', async () => {