From f837d3e6a27f7633a84e4d8c7dcc74bca1be1f84 Mon Sep 17 00:00:00 2001 From: Greg Johnston Date: Tue, 1 Aug 2023 13:22:24 -0400 Subject: [PATCH] fix: correctly escape HTML in DynChild text nodes (closes #1475) (#1478) --- leptos_dom/src/ssr.rs | 15 +++++++++++++-- leptos_dom/src/ssr_in_order.rs | 8 ++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/leptos_dom/src/ssr.rs b/leptos_dom/src/ssr.rs index 687742690..0e65d2d4a 100644 --- a/leptos_dom/src/ssr.rs +++ b/leptos_dom/src/ssr.rs @@ -405,11 +405,14 @@ impl View { self, dont_escape_text: bool, ) -> Cow<'static, str> { + println!("render_to_string_helper {:?}", self); match self { View::Text(node) => { if dont_escape_text { + println!("don't escape {:?}", node.content); node.content } else { + println!("encode_safe {:?}", node.content); html_escape::encode_safe(&node.content).to_string().into() } } @@ -492,9 +495,17 @@ impl View { // browser create the dynamic text as it's own text node if let View::Text(t) = child { if !cfg!(debug_assertions) { - format!("{}", t.content).into() + format!( + "{}", + html_escape::encode_safe( + &t.content + ) + ) + .into() } else { - t.content + html_escape::encode_safe(&t.content) + .to_string() + .into() } } else { child.render_to_string_helper( diff --git a/leptos_dom/src/ssr_in_order.rs b/leptos_dom/src/ssr_in_order.rs index c178ae445..e9dc54f5a 100644 --- a/leptos_dom/src/ssr_in_order.rs +++ b/leptos_dom/src/ssr_in_order.rs @@ -438,12 +438,16 @@ impl View { StreamChunk::Sync( format!( "{}", - content + html_escape::encode_safe( + &content + ) ) .into(), ) } else { - StreamChunk::Sync(content) + StreamChunk::Sync(html_escape::encode_safe( + &content + ).to_string().into()) }, ); } else {