fix: escape `</script>` and other HTML tags in serialized resources

2023-03-28 20:34:54 -04:00 · 2023-03-28 20:34:54 -04:00 · b0f745f4a9
parent e6b1298915
commit b0f745f4a9
1 changed files with 4 additions and 2 deletions
--- a/leptos_dom/src/ssr.rs
+++ b/leptos_dom/src/ssr.rs
@ -509,12 +509,14 @@ pub(crate) fn render_serializers(
 ) -> impl Stream<Item = String> {
    serializers.map(|(id, json)| {
        let id = serde_json::to_string(&id).unwrap();
+        let json = json.replace('<', "\\u003c");
        format!(
            r#"<script>
+                  var val = {json:?};
                  if(__LEPTOS_RESOURCE_RESOLVERS.get({id})) {{
-                      __LEPTOS_RESOURCE_RESOLVERS.get({id})({json:?})
+                      __LEPTOS_RESOURCE_RESOLVERS.get({id})(val)
                  }} else {{
-                      __LEPTOS_RESOLVED_RESOURCES.set({id}, {json:?});
+                      __LEPTOS_RESOLVED_RESOURCES.set({id}, val);
                  }}
              </script>"#,
        )