-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: v2 release #6903
base: main
Are you sure you want to change the base?
refactor: v2 release #6903
Conversation
🦋 Changeset detectedLatest commit: 6f98088 The changes in this PR will be included in the next version bump. This PR includes no changesetsWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
built with Refined Cloudflare Pages Action⚡ Cloudflare Pages Deployment
|
} | ||
errorDiv.setAttribute('q:key', '_error_'); | ||
const journal: VNodeJournal = []; | ||
vnode_getDOMChildNodes(journal, vHost).forEach((child) => errorDiv.appendChild(child)); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
} else if (key === 'value' && key in element) { | ||
(element as any).value = escapeHTML(String(value)); | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to ensure that any text content extracted from the DOM and set as HTML is properly escaped to prevent XSS attacks. The best way to fix this is to use a function that escapes HTML special characters before setting the innerHTML
property.
- We will modify the code to use the
escapeHTML
function before setting theinnerHTML
property. - Specifically, we will change the line where
dangerouslySetInnerHTML
is used to ensure the value is escaped.
-
Copy modified line R896
@@ -895,3 +895,3 @@ | ||
} else if (key === dangerouslySetInnerHTML) { | ||
(element as any).innerHTML = value!; | ||
(element as any).innerHTML = escapeHTML(String(value!)); | ||
} else { |
const insertBefore = journal[idx++] as Element | Text | null; | ||
let newChild: any; | ||
while (idx < length && typeof (newChild = journal[idx]) !== 'number') { | ||
insertParent.insertBefore(newChild, insertBefore); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
DOM text
DOM text
…nd wrap with "experimental"
V2 merge main
Co-authored-by: Jack Shelton <thejackshelton@users.noreply.github.com> Co-authored-by: Maïeul <maiieul@users.noreply.github.com> Co-authored-by: Wout Mertens <Wout.Mertens@gmail.com>
fix(slots): get the right component frame while processing slots
Co-authored-by: Wout Mertens <Wout.Mertens@gmail.com>
fix(render): fix inline component rendering
V2 Version Packages (alpha)
fix permissions for tagging v2 with latest
chore: merge main into v2 + fixups
fix: docs build command
fix(signals): schedule signal computation and run effects through the scheduler
refactor: v2 errors
V2 Version Packages (alpha)
fix: repl tabs
This PR is for showing progress on v2, and having installable npm packages.
DO NOT MERGE
The changes are meant to be readable and maintainable, so if things are unclear please let us know.