Skip to content

fix(shared): prevent SSR comment escaping from creating closing delimiters#15045

Open
edison1105 wants to merge 2 commits into
mainfrom
edison/fix-ghsa-9rff-comment-escape
Open

fix(shared): prevent SSR comment escaping from creating closing delimiters#15045
edison1105 wants to merge 2 commits into
mainfrom
edison/fix-ghsa-9rff-comment-escape

Conversation

@edison1105

@edison1105 edison1105 commented Jul 5, 2026

Copy link
Copy Markdown
Member

Refs GHSA-9rff-vwfp-83hv.

Summary by CodeRabbit

  • Bug Fixes

    • Improved handling of HTML comment-like sequences so comment boundaries are processed more reliably during server-side rendering and HTML escaping.
    • Prevents malformed or unexpected markup output when inputs contain tricky comment markers alongside real HTML fragments.
  • Tests

    • Added additional coverage for escaping comment content, including inputs resembling comment-close delimiters with HTML payloads.
    • Expanded the server-rendered HTML test case to include an additional comment-token scenario and validate the resulting rendered output.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

escapeHtmlComment now uses character-level filtering for comment content, and shared plus SSR tests cover crafted payloads and the resulting escaped output.

Changes

Comment Escaping Fix

Layer / File(s) Summary
Escaping implementation
packages/shared/src/escapeHtml.ts
escapeHtmlComment adds a fast precheck and replaces the old regex-only stripping with character-level filtering and trimming of comment-token fragments.
Escaping tests
packages/shared/__tests__/escapeHtml.spec.ts, packages/server-renderer/__tests__/render.spec.ts
Shared escaping tests and the SSR comment vnode test add crafted payload cases and assert the sanitized or rendered output.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested labels: :exclamation: p4-important

Suggested reviewers: KazariEX, skirtles-code

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the shared SSR comment escaping fix and matches the main change in the patch.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch edison/fix-ghsa-9rff-comment-escape

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

Size Report

Bundles

File Size Gzip Brotli
runtime-dom.global.prod.js 107 kB 40.3 kB 36.2 kB
vue.global.prod.js 165 kB 60.3 kB 53.7 kB

Usages

Name Size Gzip Brotli
createApp (CAPI only) 49 kB 19 kB 17.4 kB
createApp 57.1 kB 22.1 kB 20.2 kB
createSSRApp 61.6 kB 23.9 kB 21.8 kB
defineCustomElement 63.3 kB 24 kB 21.9 kB
overall 71.9 kB 27.5 kB 25.1 kB

@pkg-pr-new

pkg-pr-new Bot commented Jul 5, 2026

Copy link
Copy Markdown

Open in StackBlitz

@vue/compiler-core

pnpm add https://pkg.pr.new/@vue/compiler-core@15045
npm i https://pkg.pr.new/@vue/compiler-core@15045
yarn add https://pkg.pr.new/@vue/compiler-core@15045.tgz

@vue/compiler-dom

pnpm add https://pkg.pr.new/@vue/compiler-dom@15045
npm i https://pkg.pr.new/@vue/compiler-dom@15045
yarn add https://pkg.pr.new/@vue/compiler-dom@15045.tgz

@vue/compiler-sfc

pnpm add https://pkg.pr.new/@vue/compiler-sfc@15045
npm i https://pkg.pr.new/@vue/compiler-sfc@15045
yarn add https://pkg.pr.new/@vue/compiler-sfc@15045.tgz

@vue/compiler-ssr

pnpm add https://pkg.pr.new/@vue/compiler-ssr@15045
npm i https://pkg.pr.new/@vue/compiler-ssr@15045
yarn add https://pkg.pr.new/@vue/compiler-ssr@15045.tgz

@vue/reactivity

pnpm add https://pkg.pr.new/@vue/reactivity@15045
npm i https://pkg.pr.new/@vue/reactivity@15045
yarn add https://pkg.pr.new/@vue/reactivity@15045.tgz

@vue/runtime-core

pnpm add https://pkg.pr.new/@vue/runtime-core@15045
npm i https://pkg.pr.new/@vue/runtime-core@15045
yarn add https://pkg.pr.new/@vue/runtime-core@15045.tgz

@vue/runtime-dom

pnpm add https://pkg.pr.new/@vue/runtime-dom@15045
npm i https://pkg.pr.new/@vue/runtime-dom@15045
yarn add https://pkg.pr.new/@vue/runtime-dom@15045.tgz

@vue/server-renderer

pnpm add https://pkg.pr.new/@vue/server-renderer@15045
npm i https://pkg.pr.new/@vue/server-renderer@15045
yarn add https://pkg.pr.new/@vue/server-renderer@15045.tgz

@vue/shared

pnpm add https://pkg.pr.new/@vue/shared@15045
npm i https://pkg.pr.new/@vue/shared@15045
yarn add https://pkg.pr.new/@vue/shared@15045.tgz

vue

pnpm add https://pkg.pr.new/vue@15045
npm i https://pkg.pr.new/vue@15045
yarn add https://pkg.pr.new/vue@15045.tgz

@vue/compat

pnpm add https://pkg.pr.new/@vue/compat@15045
npm i https://pkg.pr.new/@vue/compat@15045
yarn add https://pkg.pr.new/@vue/compat@15045.tgz

commit: 86c334a

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/shared/src/escapeHtml.ts`:
- Around line 50-57: The escapeHtmlComment function currently strips leading “>”
using a do/while regex loop that rescans the whole string on each pass, which
can become quadratic on long runs. Replace the repeated commentStripRE loop in
escapeHtmlComment with a single linear scan that removes the leading comment
markers in one pass while preserving the existing behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e53e5eb4-9290-4cf1-865f-923ef8786b0d

📥 Commits

Reviewing files that changed from the base of the PR and between c0606e9 and e7772a2.

📒 Files selected for processing (3)
  • packages/server-renderer/__tests__/render.spec.ts
  • packages/shared/__tests__/escapeHtml.spec.ts
  • packages/shared/src/escapeHtml.ts

Comment thread packages/shared/src/escapeHtml.ts Outdated
@edison1105 edison1105 added the ready to merge The PR is ready to be merged. label Jul 5, 2026
@edison1105 edison1105 force-pushed the edison/fix-ghsa-9rff-comment-escape branch from e3f1c1f to 86c334a Compare July 5, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready to merge The PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant