From 245e637d3aa68df1f56733ec90a43b195dd96221 Mon Sep 17 00:00:00 2001
From: Carlos Alcaraz <193642530+calcarazgre646@users.noreply.github.com>
Date: Thu, 18 Jun 2026 20:08:52 -0300
Subject: [PATCH] fix(core): escape author-controlled values in bundler
 attribute selectors

bundleToSingleHtml interpolated raw attribute values into querySelector
attribute selectors at three sites: the external-script dedup
(htmlBundler.ts:627, :828) and the sub-composition root lookup (:860). A
value with a double quote (a quoted query param in a <script src>, or a
data-composition-id) built a malformed selector that throws 'Attribute
selector didn't terminate' in css-select and aborted the whole bundle.
render/validate/snapshot/layout all call bundleToSingleHtml, so one such
sub-composition crashed every one of them.

Route the three sites through the existing cssAttributeSelector helper,
which escapes backslash and quote - the same escaping the sibling
link[href] dedup already applies and the helper is already used for
data-composition-id at :799 and :863.
---
 .../core/src/compiler/htmlBundler.test.ts     | 29 +++++++++++++++++++
 packages/core/src/compiler/htmlBundler.ts     |  6 ++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/packages/core/src/compiler/htmlBundler.test.ts b/packages/core/src/compiler/htmlBundler.test.ts
index d41dfbd1c4..0ee9eeaf72 100644
--- a/packages/core/src/compiler/htmlBundler.test.ts
+++ b/packages/core/src/compiler/htmlBundler.test.ts
@@ -125,6 +125,35 @@ describe("bundleToSingleHtml", () => {
     expect(bundled).not.toContain("SECRET_MARKER_LEAKED");
   });
 
+  it("bundles a sub-composition external script whose src contains a double quote", async () => {
+    // The external-script dedup interpolated src into a `script[src="..."]`
+    // selector unescaped, so a `"` in the URL (a quoted query param) built a
+    // malformed selector that threw in css-select and aborted the whole bundle.
+    // The sibling link[href] path already escapes; align the script path.
+    const quotedSrc = `https://cdn.example.com/lib.js?cb="x`;
+    const dir = makeTempProject({
+      "index.html": `<!doctype html>
+<html><body>
+  <div id="root" data-composition-id="main" data-width="1920" data-height="1080">
+    <div id="scene-host"
+      data-composition-id="scene"
+      data-composition-src="compositions/scene.html"
+      data-start="0" data-duration="5"></div>
+  </div>
+  <script>window.__timelines={};</script>
+</body></html>`,
+      "compositions/scene.html": `<template id="scene-template">
+  <div data-composition-id="scene" data-width="1920" data-height="1080">
+    <script src='${quotedSrc}'></script>
+  </div>
+</template>`,
+    });
+
+    const bundled = await bundleToSingleHtml(dir);
+    // Does not throw, and the external script survives into the bundle.
+    expect(bundled).toContain(`cb=`);
+  });
+
   it("produces a self-contained runtime script when no HYPERFRAME_RUNTIME_URL is set", async () => {
     // Regression guard: hf#XXX. The bundler used to emit
     // <script ... src=""></script> when no runtime URL was configured. An
diff --git a/packages/core/src/compiler/htmlBundler.ts b/packages/core/src/compiler/htmlBundler.ts
index 538f0632ff..62ab48f9c0 100644
--- a/packages/core/src/compiler/htmlBundler.ts
+++ b/packages/core/src/compiler/htmlBundler.ts
@@ -624,7 +624,7 @@ export interface BundleOptions {
  */
 
 function ensureExternalScriptTag(doc: Document, src: string): void {
-  if (doc.querySelector(`script[src="${src}"]`)) return;
+  if (doc.querySelector(`script${cssAttributeSelector("src", src)}`)) return;
   const el = doc.createElement("script");
   el.setAttribute("src", src);
   doc.body.appendChild(el);
@@ -825,7 +825,7 @@ export async function bundleToSingleHtml(
         continue;
       }
     }
-    if (!document.querySelector(`script[src="${extSrc}"]`)) {
+    if (!document.querySelector(`script${cssAttributeSelector("src", extSrc)}`)) {
       const extScript = document.createElement("script");
       extScript.setAttribute("src", extSrc);
       document.body.appendChild(extScript);
@@ -857,7 +857,7 @@ export async function bundleToSingleHtml(
       const hostIdentity = hostIdentityByElement.get(host);
       const runtimeCompId = hostIdentity?.runtimeCompositionId || compId;
       const innerDoc = parseHTMLContent(templateHtml);
-      const innerRoot = innerDoc.querySelector(`[data-composition-id="${compId}"]`);
+      const innerRoot = innerDoc.querySelector(cssAttributeSelector("data-composition-id", compId));
       const authoredRootId = innerRoot?.getAttribute("id")?.trim() || null;
       const runtimeScope = runtimeCompId
         ? cssAttributeSelector("data-composition-id", runtimeCompId)