marko-js/marko marko@5.38.36
on GitHub

2 days ago

Patch Changes

#3159 19d4b37 Thanks @DylanPiercey! - Fix escaping issue for dynamic text interpolation inside <script>, <style>, <html-script> and <html-style> tags.
The issue was that the escaping logic for those tags used a CASE SENSITIVE search for the closing tag which could be bypassed like so:
```
<script>${"</SCRIPT><img src=x onerror=alert('uh oh')>"}</script>
```
Note that script and style there should never render unsanitized user defined values, regardless of wether or not the closing tag is escaped, since these are conceptually just "eval".
#3159 19d4b37 Thanks @DylanPiercey! - Fix escaping for <html-comment> tag.
Previously this tag relied on normal xml escaping which looks for <.
This PR updates to have a special escape for <html-comment> tags that replaces > instead.
```
// Previously incorrectly escaped.
<html-comment>${">Uh oh"}</html-comment>
```
Updated dependencies [19d4b37, 19d4b37]:
- @marko/runtime-tags@6.0.164

Check out latest releases or
releases around marko-js/marko marko@5.38.36

Don't miss a new marko release

NewReleases is sending notifications on new releases.

Get notifications