9 лет назад · 1e37633567
--- a/src/core/vdom/helpers/resolve-async-component.js
+++ b/src/core/vdom/helpers/resolve-async-component.js
@@ -1,5 +1,12 @@
 
				 /* @flow */
			
 
				 
			
 
				+// () => ({
			
 
				+//   component: import('./xxx.vue'),
			
 
				+//   delay: 200,
			
 
				+//   loading: LoadingComponent,
			
 
				+//   error: ErrorComponent
			
 
				+// })
			
 
				+
			
 
				 import {
			
 
				   warn,
			
 
				   isObject
			
--- a/src/platforms/web/server/modules/attrs.js
+++ b/src/platforms/web/server/modules/attrs.js
@@ -1,5 +1,7 @@
 
				 /* @flow */
			
 
				 
			
 
				+import { escape } from 'he'
			
 
				+
			
 
				 import {
			
 
				   isBooleanAttr,
			
 
				   isEnumeratedAttr,
			
@@ -40,7 +42,7 @@ export function renderAttr (key: string, value: string): string {
 
				   } else if (isEnumeratedAttr(key)) {
			
 
				     return ` ${key}="${isFalsyAttrValue(value) || value === 'false' ? 'false' : 'true'}"`
			
 
				   } else if (!isFalsyAttrValue(value)) {
			
 
				-    return ` ${key}="${value}"`
			
 
				+    return ` ${key}="${typeof value === 'string' ? escape(value) : value}"`
			
 
				   }
			
 
				   return ''
			
 
				 }
			
--- a/src/platforms/web/server/modules/class.js
+++ b/src/platforms/web/server/modules/class.js
@@ -1,10 +1,11 @@
 
				 /* @flow */
			
 
				 
			
 
				+import { escape } from 'he'
			
 
				 import { genClassForVnode } from 'web/util/index'
			
 
				 
			
 
				 export default function renderClass (node: VNodeWithData): ?string {
			
 
				   const classList = genClassForVnode(node)
			
 
				   if (classList) {
			
 
				-    return ` class="${classList}"`
			
 
				+    return ` class="${escape(classList)}"`
			
 
				   }
			
 
				 }
			
--- a/src/platforms/web/server/modules/style.js
+++ b/src/platforms/web/server/modules/style.js
@@ -1,4 +1,6 @@
 
				 /* @flow */
			
 
				+
			
 
				+import { escape } from 'he'
			
 
				 import { hyphenate } from 'shared/util'
			
 
				 import { getStyle } from 'web/util/style'
			
 
				 
			
@@ -14,6 +16,6 @@ function genStyleText (vnode: VNode): string {
 
				 export default function renderStyle (vnode: VNodeWithData): ?string {
			
 
				   const styleText = genStyleText(vnode)
			
 
				   if (styleText) {
			
 
				-    return ` style=${JSON.stringify(styleText)}`
			
 
				+    return ` style=${JSON.stringify(escape(styleText))}`
			
 
				   }
			
 
				 }
			
--- a/test/ssr/ssr-string.spec.js
+++ b/test/ssr/ssr-string.spec.js
@@ -761,6 +761,21 @@ describe('SSR: renderToString', () => {
 
				     })
			
 
				     expect(vm.a).toBe(func)
			
 
				   })
			
 
				+
			
 
				+  it('should prevent xss in attribtues', () => {
			
 
				+    renderVmWithOptions({
			
 
				+      data: {
			
 
				+        xss: '"><script>alert(1)</script>'
			
 
				+      },
			
 
				+      template: `
			
 
				+        <div>
			
 
				+          <a :title="xss" :style="{ color: xss }" :class="[xss]">foo</a>
			
 
				+        </div>
			
 
				+      `
			
 
				+    }, res => {
			
 
				+      expect(res).not.toContain(`<script>alert(1)</script>`)
			
 
				+    })
			
 
				+  })
			
 
				 })
			
 
				 
			
 
				 function renderVmWithOptions (options, cb) {