[PR #597] [MERGED] fix: validate attribute names in next/head SSR serializer #697

New issue

Closed

opened 2026-05-06 13:09:37 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:09:37 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/597
Author: @southpolesteve
Created: 3/19/2026
Status: ✅ Merged
Merged: 3/20/2026
Merged by: @southpolesteve

Base: main ← Head: fix/sanitize-head-attr-names

📝 Commits (1)

f77068c fix: validate attribute names in next/head SSR serializer

📊 Changes

2 files changed (+90 additions, -0 deletions)

View changed files

📝 packages/vinext/src/shims/head.ts (+20 -0)
📝 tests/shims.test.ts (+70 -0)

📄 Description

Summary

The head.ts SSR serializer was interpolating attribute names directly into HTML without validation. Only attribute values were escaped via escapeAttr().
Adds isSafeAttrName() that validates attribute names against a strict regex (alphanumeric, hyphens, colons, dots) and blocks inline event handler attributes (on*).
Applied in both the SSR reactElementToHTML() path and the client-side syncClientHead() path.

Details

Previously, attribute names from React element props were used verbatim in the SSR HTML output. If application code spread an object with arbitrary keys onto a JSX element inside <Head>, those keys would appear unescaped in the rendered HTML. The new validation rejects names containing characters that could break the attribute context (<, >, ", /, =, spaces) and blocks on* event handler attributes.

Standard HTML attributes like name, content, http-equiv, data-*, and XML-namespaced attributes like xml:lang continue to work normally.

Also adds unit tests covering allowed names, rejected names, event handlers, and edge cases.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/597 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/19/2026 **Status:** ✅ Merged **Merged:** 3/20/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/sanitize-head-attr-names` --- ### 📝 Commits (1) - [`f77068c`](https://github.com/cloudflare/vinext/commit/f77068c8a117eff2a2c66d53e3c73f99e56e51d4) fix: validate attribute names in next/head SSR serializer ### 📊 Changes **2 files changed** (+90 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/head.ts` (+20 -0) 📝 `tests/shims.test.ts` (+70 -0) </details> ### 📄 Description ## Summary - The head.ts SSR serializer was interpolating attribute names directly into HTML without validation. Only attribute values were escaped via `escapeAttr()`. - Adds `isSafeAttrName()` that validates attribute names against a strict regex (alphanumeric, hyphens, colons, dots) and blocks inline event handler attributes (`on*`). - Applied in both the SSR `reactElementToHTML()` path and the client-side `syncClientHead()` path. ## Details Previously, attribute names from React element props were used verbatim in the SSR HTML output. If application code spread an object with arbitrary keys onto a JSX element inside `<Head>`, those keys would appear unescaped in the rendered HTML. The new validation rejects names containing characters that could break the attribute context (`<`, `>`, `"`, `/`, `=`, spaces) and blocks `on*` event handler attributes. Standard HTML attributes like `name`, `content`, `http-equiv`, `data-*`, and XML-namespaced attributes like `xml:lang` continue to work normally. Also adds unit tests covering allowed names, rejected names, event handlers, and edge cases. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>