Skip to content

Commit

Permalink
Merge pull request from GHSA-997g-27x8-43rf
Browse files Browse the repository at this point in the history 
Co-authored-by: Lenz Weber-Tronic <[email protected]>
  • Loading branch information
@TkDodo @phryneas
TkDodo and phryneas authored Jan 30, 2024
1 parent 62704ce commit f2ddaf2
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
5 changes: 3 additions & 2 deletions packages/react-query-next-experimental/src/HydrationStreamProvider.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import { useServerInsertedHTML } from 'next/navigation'
import * as React from 'react'
import { htmlEscapeJsonString } from './htmlescape'

const serializedSymbol = Symbol('serialized')

Expand Down Expand Up @@ -83,7 +84,7 @@ export function createHydrationStreamProvider<TShape>() {
}) {
// unique id for the cache provider
const id = `__RQ${React.useId()}`
const idJSON = JSON.stringify(id)
const idJSON = htmlEscapeJsonString(JSON.stringify(id))

const [transformer] = React.useState(
() =>
Expand Down Expand Up @@ -124,7 +125,7 @@ export function createHydrationStreamProvider<TShape>() {

const html: Array<string> = [
`window[${idJSON}] = window[${idJSON}] || [];`,
`window[${idJSON}].push(${serializedCacheArgs});`,
`window[${idJSON}].push(${htmlEscapeJsonString(serializedCacheArgs)});`,
]
return (
<script
Expand Down
24 changes: 24 additions & 0 deletions packages/react-query-next-experimental/src/htmlescape.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
// --------------------------------------------------------------------------------
//
// copied from
// https://github.com/vercel/next.js/blob/6bc07792a4462a4bf921a72ab30dc4ab2c4e1bda/packages/next/src/server/htmlescape.ts
// License: https://github.com/vercel/next.js/blob/6bc07792a4462a4bf921a72ab30dc4ab2c4e1bda/packages/next/license.md
//
// --------------------------------------------------------------------------------

// This utility is based on https://github.com/zertosh/htmlescape
// License: https://github.com/zertosh/htmlescape/blob/0527ca7156a524d256101bb310a9f970f63078ad/LICENSE

const ESCAPE_LOOKUP: { [match: string]: string } = {
"&": "\\u0026",
">": "\\u003e",
"<": "\\u003c",
"\u2028": "\\u2028",
"\u2029": "\\u2029",
};

export const ESCAPE_REGEX = /[&><\u2028\u2029]/g;

export function htmlEscapeJsonString(str: string): string {
return str.replace(ESCAPE_REGEX, (match) => ESCAPE_LOOKUP[match]);
}

0 comments on commit f2ddaf2

Please sign in to comment.