[PR #284] [MERGED] Escape closing tags in inline script/style SSR output #443

New issue

Closed

opened 2026-05-06 12:39:50 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:50 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/284
Author: @southpolesteve
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/6/2026
Merged by: @southpolesteve

Base: main ← Head: fix/escape-inline-script-content

📝 Commits (1)

b226f52 Escape closing tags in inline script/style SSR output

📊 Changes

3 files changed (+162 additions, -1 deletions)

View changed files

📝 packages/vinext/src/shims/head.ts (+23 -0)
📝 packages/vinext/src/shims/script.tsx (+7 -1)
📝 tests/shims.test.ts (+132 -0)

📄 Description

Summary

Inline <script> and <style> content rendered during SSR could produce malformed HTML when dangerouslySetInnerHTML.__html contained </script> or </style> sequences. The HTML parser treats these as the end of the containing element regardless of JavaScript/CSS string context, breaking the tag boundary.
Added escapeInlineContent() helper that replaces </script and </style with <\/script and <\/style (case-insensitive). Applied in the next/script beforeInteractive SSR path and next/head reactElementToHTML for script/style tags.

Changes

packages/vinext/src/shims/head.ts: Added escapeInlineContent() export. Applied it to dangerouslySetInnerHTML content for <script> and <style> tags in reactElementToHTML().
packages/vinext/src/shims/script.tsx: Imported escapeInlineContent and applied it to dangerouslySetInnerHTML.__html in the beforeInteractive SSR path before passing to React.createElement.
tests/shims.test.ts: 14 new tests covering the escaping helper (6 unit tests), Script component SSR (2 integration tests), and Head component SSR (3 integration tests), plus 3 existing tests continue to pass.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/284 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/6/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/escape-inline-script-content` --- ### 📝 Commits (1) - [`b226f52`](https://github.com/cloudflare/vinext/commit/b226f52000131b6c2ee09a0bc736afebf4dc6d03) Escape closing tags in inline script/style SSR output ### 📊 Changes **3 files changed** (+162 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/head.ts` (+23 -0) 📝 `packages/vinext/src/shims/script.tsx` (+7 -1) 📝 `tests/shims.test.ts` (+132 -0) </details> ### 📄 Description ## Summary - Inline `<script>` and `<style>` content rendered during SSR could produce malformed HTML when `dangerouslySetInnerHTML.__html` contained `</script>` or `</style>` sequences. The HTML parser treats these as the end of the containing element regardless of JavaScript/CSS string context, breaking the tag boundary. - Added `escapeInlineContent()` helper that replaces `</script` and `</style` with `<\/script` and `<\/style` (case-insensitive). Applied in the `next/script` `beforeInteractive` SSR path and `next/head` `reactElementToHTML` for script/style tags. ## Changes - `packages/vinext/src/shims/head.ts`: Added `escapeInlineContent()` export. Applied it to `dangerouslySetInnerHTML` content for `<script>` and `<style>` tags in `reactElementToHTML()`. - `packages/vinext/src/shims/script.tsx`: Imported `escapeInlineContent` and applied it to `dangerouslySetInnerHTML.__html` in the `beforeInteractive` SSR path before passing to `React.createElement`. - `tests/shims.test.ts`: 14 new tests covering the escaping helper (6 unit tests), Script component SSR (2 integration tests), and Head component SSR (3 integration tests), plus 3 existing tests continue to pass. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>