Skip to content

Commit f2ddaf2

Browse files
TkDodophryneas
TkDodo
and
phryneas
authored
Merge pull request from GHSA-997g-27x8-43rf
Co-authored-by: Lenz Weber-Tronic <lorenz.weber-tronic@apollographql.com>
1 parent 62704ce commit f2ddaf2

File tree

2 files changed

+27
-2
lines changed

2 files changed

+27
-2
lines changed

packages/react-query-next-experimental/src/HydrationStreamProvider.tsx

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
import { useServerInsertedHTML } from 'next/navigation'
44
import * as React from 'react'
5+
import { htmlEscapeJsonString } from './htmlescape'
56

67
const serializedSymbol = Symbol('serialized')
78

@@ -83,7 +84,7 @@ export function createHydrationStreamProvider<TShape>() {
8384
}) {
8485
// unique id for the cache provider
8586
const id = `__RQ${React.useId()}`
86-
const idJSON = JSON.stringify(id)
87+
const idJSON = htmlEscapeJsonString(JSON.stringify(id))
8788

8889
const [transformer] = React.useState(
8990
() =>
@@ -124,7 +125,7 @@ export function createHydrationStreamProvider<TShape>() {
124125

125126
const html: Array<string> = [
126127
`window[${idJSON}] = window[${idJSON}] || [];`,
127-
`window[${idJSON}].push(${serializedCacheArgs});`,
128+
`window[${idJSON}].push(${htmlEscapeJsonString(serializedCacheArgs)});`,
128129
]
129130
return (
130131
<script

packages/react-query-next-experimental/src/htmlescape.ts

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
// --------------------------------------------------------------------------------
2+
//
3+
// copied from
4+
// https://github.com/vercel/next.js/blob/6bc07792a4462a4bf921a72ab30dc4ab2c4e1bda/packages/next/src/server/htmlescape.ts
5+
// License: https://github.com/vercel/next.js/blob/6bc07792a4462a4bf921a72ab30dc4ab2c4e1bda/packages/next/license.md
6+
//
7+
// --------------------------------------------------------------------------------
8+
9+
// This utility is based on https://github.com/zertosh/htmlescape
10+
// License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE
11+
12+
const ESCAPE_LOOKUP: { [match: string]: string } = {
13+
"&": "\\u0026",
14+
">": "\\u003e",
15+
"<": "\\u003c",
16+
"\u2028": "\\u2028",
17+
"\u2029": "\\u2029",
18+
};
19+
20+
export const ESCAPE_REGEX = /[&><\u2028\u2029]/g;
21+
22+
export function htmlEscapeJsonString(str: string): string {
23+
return str.replace(ESCAPE_REGEX, (match) => ESCAPE_LOOKUP[match]);
24+
}

0 commit comments

Comments
 (0)