From f13833b0e2c043334942b8c4bfee71925a945efb Mon Sep 17 00:00:00 2001 From: patak Date: Tue, 18 Apr 2023 09:37:23 +0200 Subject: [PATCH] fix: escape msg in render restricted error html --- packages/vite/package.json | 2 ++ packages/vite/src/node/server/middlewares/static.ts | 3 ++- pnpm-lock.yaml | 10 ++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/packages/vite/package.json b/packages/vite/package.json index e0acd2bffea77f..b97f5e8e59f4b3 100644 --- a/packages/vite/package.json +++ b/packages/vite/package.json @@ -86,6 +86,7 @@ "@rollup/plugin-typescript": "^11.0.0", "@rollup/pluginutils": "^5.0.2", "@types/pnpapi": "^0.0.2", + "@types/escape-html": "^1.0.0", "acorn": "^8.8.2", "acorn-walk": "^8.2.0", "cac": "^6.7.14", @@ -100,6 +101,7 @@ "dotenv": "^16.0.3", "dotenv-expand": "^9.0.0", "es-module-lexer": "^1.2.0", + "escape-html": "^1.0.3", "estree-walker": "^3.0.3", "etag": "^1.8.1", "fast-glob": "^3.2.12", diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index f59961085e923f..63ea68d2ed6d3c 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -3,6 +3,7 @@ import type { OutgoingHttpHeaders, ServerResponse } from 'node:http' import type { Options } from 'sirv' import sirv from 'sirv' import type { Connect } from 'dep-types/connect' +import escapeHtml from 'escape-html' import type { ViteDevServer } from '../..' import { FS_PREFIX } from '../../constants' import { @@ -236,7 +237,7 @@ function renderRestrictedErrorHTML(msg: string): string { return html`

403 Restricted

-

${msg.replace(/\n/g, '
')}

+

${escapeHtml(msg).replace(/\n/g, '
')}