-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Remove flight chunk" #1278
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
'@shopify/hydrogen': patch | ||
--- | ||
|
||
Reverts [#1272](https://github.com/Shopify/hydrogen/pull/1272) and properly escapes terminating script sequences |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -216,7 +216,7 @@ async function render( | |
) { | ||
const state = {pathname: url.pathname, search: url.search}; | ||
|
||
const {AppSSR} = buildAppSSR( | ||
const {AppSSR, rscReadable} = buildAppSSR( | ||
{ | ||
App, | ||
log, | ||
|
@@ -233,9 +233,10 @@ async function render( | |
return template; | ||
} | ||
|
||
let html = await renderToBufferedString(AppSSR, {log, nonce}).catch( | ||
onErrorShell | ||
); | ||
let [html, flight] = await Promise.all([ | ||
renderToBufferedString(AppSSR, {log, nonce}).catch(onErrorShell), | ||
bufferReadableStream(rscReadable.getReader()).catch(() => null), | ||
]); | ||
|
||
const {headers, status, statusText} = getResponseOptions(componentResponse); | ||
|
||
|
@@ -261,6 +262,18 @@ async function render( | |
|
||
html = applyHtmlHead(html, request.ctx.head, template); | ||
|
||
if (flight) { | ||
html = html.replace( | ||
'</body>', | ||
() => | ||
`${flightContainer({ | ||
init: true, | ||
nonce, | ||
chunk: flight as string, | ||
})}</body>` | ||
); | ||
} | ||
|
||
postRequestTasks('ssr', status, request, componentResponse); | ||
|
||
return new Response(html, { | ||
|
@@ -307,7 +320,13 @@ async function stream( | |
const rscToScriptTagReadable = new ReadableStream({ | ||
start(controller) { | ||
log.trace('rsc start chunks'); | ||
bufferReadableStream(rscReadable.getReader()).then(() => { | ||
let init = true; | ||
const encoder = new TextEncoder(); | ||
bufferReadableStream(rscReadable.getReader(), (chunk) => { | ||
const scriptTag = flightContainer({init, chunk, nonce}); | ||
controller.enqueue(encoder.encode(scriptTag)); | ||
init = false; | ||
}).then(() => { | ||
log.trace('rsc finish chunks'); | ||
return controller.close(); | ||
}); | ||
|
@@ -839,6 +858,27 @@ async function createNodeWriter() { | |
return new PassThrough() as InstanceType<typeof PassThroughType>; | ||
} | ||
|
||
function flightContainer({ | ||
init, | ||
chunk, | ||
nonce, | ||
}: { | ||
chunk?: string; | ||
init?: boolean; | ||
nonce?: string; | ||
}) { | ||
let script = `<script${nonce ? ` nonce="${nonce}"` : ''}>`; | ||
if (init) { | ||
script += 'var __flight=[];'; | ||
} | ||
|
||
if (chunk) { | ||
script += `__flight.push(${JSON.stringify(escapeScriptContent(chunk))})`; | ||
} | ||
|
||
return script + '</script>'; | ||
} | ||
|
||
function postRequestTasks( | ||
type: RenderType, | ||
status: number, | ||
|
@@ -850,3 +890,21 @@ function postRequestTasks( | |
logQueryTimings(type, request); | ||
request.savePreloadQueries(); | ||
} | ||
|
||
/** | ||
* This escaping function is borrowed from React core. It prevents flight syntax from | ||
* prematurely ending the script tag. Untrusted script content should be made safe | ||
* before using this api by the developer, but this ensures that the script cannot | ||
* be early terminated or never terminated state. | ||
* @see https://github.com/facebook/react/blob/4c03bb6ed01a448185d9a1554229208a9480560d/packages/react-dom/src/server/ReactDOMServerFormatConfig.js#L96 | ||
*/ | ||
function escapeScriptContent(scriptText: string) { | ||
return ('' + scriptText).replace(scriptRegex, scriptReplacer); | ||
} | ||
const scriptRegex = /(<\/|<)(s)(cript)/gi; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure if this is a concern here, but since this is a regex with a global flag, it's stateful and therefore calling There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It seems to me that only |
||
const scriptReplacer = ( | ||
match: string, | ||
prefix: string, | ||
s: string, | ||
suffix: string | ||
) => `${prefix}${s === 's' ? '\\u0073' : '\\u0053'}${suffix}`; | ||
Comment on lines
+901
to
+910
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Interesting. It just replaces |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
export default function Passthrough({children}) { | ||
return children; | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
import Passthrough from '../components/Passthrough.client'; | ||
|
||
export default function Escaping() { | ||
return ( | ||
<Passthrough | ||
prop="</script><script>document.body = ''</script>" | ||
// eslint-disable-next-line react/no-children-prop | ||
children="</script><script>alert('hi')</script>" | ||
/> | ||
); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So just to clarify,
JSON.stringify()
eliminates the need for using backticks for the string that is passed to
push()
i.e. for`__flight.push(\`${normalizedChunk}\`)`
Correct? This way the case where this would be abused by passing a payload like
${alert(1)}
would be no longer be a concern.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's correct!