fix(core): escape author-controlled values in bundler attribute selectors#1568
Open
calcarazgre646 wants to merge 1 commit into
Open
fix(core): escape author-controlled values in bundler attribute selectors#1568calcarazgre646 wants to merge 1 commit into
calcarazgre646 wants to merge 1 commit into
Conversation
…tors bundleToSingleHtml interpolated raw attribute values into querySelector attribute selectors at three sites: the external-script dedup (htmlBundler.ts:627, :828) and the sub-composition root lookup (:860). A value with a double quote (a quoted query param in a <script src>, or a data-composition-id) built a malformed selector that throws 'Attribute selector didn't terminate' in css-select and aborted the whole bundle. render/validate/snapshot/layout all call bundleToSingleHtml, so one such sub-composition crashed every one of them. Route the three sites through the existing cssAttributeSelector helper, which escapes backslash and quote - the same escaping the sibling link[href] dedup already applies and the helper is already used for data-composition-id at :799 and :863.
3 tasks
miguel-heygen
added a commit
that referenced
this pull request
Jun 19, 2026
…tors Extract cssAttrSelector to packages/core/src/utils/cssSelector.ts and use it (or CSS.escape for browser-side code) at all 12 sites that previously interpolated raw user-authored values into querySelector attribute selectors. A " in a composition ID, script src, or data-start value would produce a malformed selector that throws. Node-side (core compiler/parser): uses the shared cssAttrSelector. Browser-side (runtime, studio): uses native CSS.escape(). Supersedes #1568 which fixed only the 3 bundler sites.
miguel-heygen
added a commit
that referenced
this pull request
Jun 19, 2026
…tors Extract cssAttrSelector to packages/core/src/utils/cssSelector.ts and use it (or CSS.escape for browser-side code) at all 12 sites that previously interpolated raw user-authored values into querySelector attribute selectors. A " in a composition ID, script src, or data-start value would produce a malformed selector that throws. Node-side (core compiler/parser): uses the shared cssAttrSelector. Browser-side (runtime, studio): uses native CSS.escape(). Supersedes #1568 which fixed only the 3 bundler sites.
miguel-heygen
added a commit
that referenced
this pull request
Jun 19, 2026
…tors Extract cssAttrSelector to packages/core/src/utils/cssSelector.ts and use it (or CSS.escape for browser-side code) at all 12 sites that previously interpolated raw user-authored values into querySelector attribute selectors. A " in a composition ID, script src, or data-start value would produce a malformed selector that throws. Node-side (core compiler/parser): uses the shared cssAttrSelector. Browser-side (runtime, studio): uses native CSS.escape(). Supersedes #1568 which fixed only the 3 bundler sites.
miguel-heygen
added a commit
that referenced
this pull request
Jun 19, 2026
…tors Extract cssAttrSelector to packages/core/src/utils/cssSelector.ts and use it (or CSS.escape for browser-side code) at all 12 sites that previously interpolated raw user-authored values into querySelector attribute selectors. A " in a composition ID, script src, or data-start value would produce a malformed selector that throws. Node-side (core compiler/parser): uses the shared cssAttrSelector. Browser-side (runtime, studio): uses native CSS.escape(). Supersedes #1568 which fixed only the 3 bundler sites.
miguel-heygen
added a commit
that referenced
this pull request
Jun 19, 2026
…tors Extract cssAttrSelector to packages/core/src/utils/cssSelector.ts and use it (or CSS.escape for browser-side code) at all 12 sites that previously interpolated raw user-authored values into querySelector attribute selectors. A " in a composition ID, script src, or data-start value would produce a malformed selector that throws. Node-side (core compiler/parser): uses the shared cssAttrSelector. Browser-side (runtime, studio): uses native CSS.escape(). Supersedes #1568 which fixed only the 3 bundler sites.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
bundleToSingleHtmlinterpolated raw attribute values intoquerySelectorattribute selectors at three sites: the external-script dedup (htmlBundler.ts:627,:828) and the sub-composition root lookup (:860). A value containing a"(a quoted query param in a<script src>, or adata-composition-id) produced a malformed selector that throwsAttribute selector didn't terminatein css-select, aborting the whole bundle. Sincerender,validate,snapshot, andlayoutall callbundleToSingleHtml, one such sub-composition crashes every one of them with an opaque error.The sibling
link[href]dedup (:927) already escapes via.replace(/\\/g, "\\\\").replace(/"/g, '\\"'), and thecssAttributeSelectorhelper (:279) does exactly that and is already used fordata-composition-idat:799and:863. The three crashing sites just did not use it.Change
Route all three through
cssAttributeSelector. No behavior change for values without"or\(the escape is a no-op there).Tests
A bundler test for a sub-composition whose external
<script src>contains a": it now bundles instead of throwing. Verified load-bearing (reverting the fix reproducesAttribute selector didn't terminate). Full core suite green (1912 tests).