fix: dump encode data in comment#989
Merged
PupilTong merged 1 commit intolynx-family:mainfrom Jun 4, 2025
Merged
Conversation
🦋 Changeset detectedLatest commit: e9cab21 The changes in this PR will be included in the next version bump. This PR includes changesets to release 6 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes the dumping of encode data by moving it from an attribute to an HTML comment, reducing potential XSS risks and ensuring that snapshot outputs align with the updated rendering logic.
- Updates snapshot files to remove the ssr-encode-data attribute and add the thread-strategy attribute.
- Introduces a new escapeHtml utility function and applies it when rendering attribute values.
- Modifies dumpHTMLString.ts and createLynxView.ts to output encode data as an HTML comment.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| packages/web-platform/web-tests/tests/snapshots/server.vitest.spec.ts.snap | Updated snapshots to reflect the removal of the ssr-encode-data attribute and introduction of thread-strategy. |
| packages/web-platform/web-core-server/src/utils/escapeHtml.ts | Added a new utility for escaping HTML special characters. |
| packages/web-platform/web-core-server/src/dumpHTMLString.ts | Changed the dumping of ssrEncodeData from an element attribute to an HTML comment, with proper escaping. |
| packages/web-platform/web-core-server/src/createLynxView.ts | Added support for a threadStrategy attribute and moved the encode data dump into an HTML comment. |
| .changeset/shaggy-monkeys-fail.md | Updated changeset for the patch release. |
Comments suppressed due to low confidence (2)
packages/web-platform/web-core-server/src/createLynxView.ts:148
- Ensure that the 'thread-strategy' attribute value is consistently handled by all consumers and that its allowed values are validated to avoid unexpected behavior.
'thread-strategy="', threadStrategy, '"'
packages/web-platform/web-core-server/src/dumpHTMLString.ts:175
- Verify that dumping ssrEncodeData within an HTML comment does not affect downstream HTML parsing and that the change is consistently reflected in snapshot comparisons.
if (ssrEncodeData) {
Codecov ReportAll modified and coverable lines are covered by tests ✅ 📢 Thoughts on this report? Let us know! |
CodSpeed Performance ReportMerging #989 will not alter performanceComparing Summary
|
React Example#1172 Bundle Size — 231.7KiB (0%).e9cab21(current) vs 4bad030 main#1165(baseline) Bundle metrics
|
| Current #1172 |
Baseline #1165 |
|
|---|---|---|
 Initial JS |
0B |
0B |
| Initial CSS |
0B |
0B |
| Cache Invalidation |
0% |
0% |
| Chunks |
0 |
0 |
| Assets |
4 |
4 |
| Modules |
141 |
141 |
| Duplicate Modules |
56 |
56 |
| Duplicate Code |
46.17% |
46.17% |
| Packages |
2 |
2 |
| Duplicate Packages |
0 |
0 |
Bundle size by type no changes
| Current #1172 |
Baseline #1165 |
|
|---|---|---|
| IMG |
145.76KiB |
145.76KiB |
| Other |
85.94KiB |
85.94KiB |
Bundle analysis report Branch PupilTong:p/hw/ssr-escape-html Project dashboard
Generated by RelativeCI Documentation Report issue
Web Explorer#1160 Bundle Size — 254.96KiB (0%).e9cab21(current) vs 4bad030 main#1153(baseline) Bundle metrics
|
| Current #1160 |
Baseline #1153 |
|
|---|---|---|
| Initial JS |
136.84KiB |
136.84KiB |
| Initial CSS |
31.79KiB |
31.79KiB |
| Cache Invalidation |
0% |
0% |
| Chunks |
4 |
4 |
| Assets |
4 |
4 |
 Modules |
202(-0.49%) |
203 |
| Duplicate Modules |
14 |
14 |
| Duplicate Code |
2.86% |
2.86% |
| Packages |
4 |
4 |
| Duplicate Packages |
0 |
0 |
Bundle size by type no changes
| Current #1160 |
Baseline #1153 |
|
|---|---|---|
| JS |
223.17KiB |
223.17KiB |
| CSS |
31.79KiB |
31.79KiB |
Bundle analysis report Branch PupilTong:p/hw/ssr-escape-html Project dashboard
Generated by RelativeCI Documentation Report issue
Sherry-hue
approved these changes
Jun 4, 2025
colinaaa
pushed a commit
that referenced
this pull request
Jun 6, 2025
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @lynx-js/react@0.109.2 ### Patch Changes - Support for locating errors in the source code directly on the device when exceptions occur when using MTS. ([#1019](#1019)) This requires Lynx engine v3.4 or later. - Fix the "main-thread.js exception: ReferenceError: `__webpack_require__` is not defined" error in HMR. ([#985](#985)) This error occurred when setting `output.iife: true`, which is the default value in `@lynx-js/rspeedy` v0.9.8. ## @lynx-js/rspeedy@0.9.9 ### Patch Changes - Set `optimization.emitOnErrors` when `DEBUG` is enabled. ([#1000](#1000)) This is useful for debugging PrimJS Syntax error. ## @lynx-js/react-rsbuild-plugin@0.10.3 ### Patch Changes - Better [zustand](https://github.com/pmndrs/zustand) support by creating an alias for `use-sync-external-store`. ([#980](#980)) See [#893](#893) for more details. - Updated dependencies \[[`acc0d80`](acc0d80)]: - @lynx-js/runtime-wrapper-webpack-plugin@0.1.1 - @lynx-js/react-alias-rsbuild-plugin@0.10.3 - @lynx-js/use-sync-external-store@1.5.0 - @lynx-js/react-refresh-webpack-plugin@0.3.3 - @lynx-js/react-webpack-plugin@0.6.15 - @lynx-js/css-extract-webpack-plugin@0.5.4 - @lynx-js/template-webpack-plugin@0.7.2 ## @lynx-js/css-serializer@0.1.3 ### Patch Changes - Support Windows. ([#1007](#1007)) ## @lynx-js/offscreen-document@0.1.1 ### Patch Changes - feat: add sheet.insertRule support ([#1026](#1026)) - refactor: implement mts apis in closure pattern ([#1004](#1004)) ## @lynx-js/web-constants@0.13.5 ### Patch Changes - refactor: move some internal status to dom's attribute ([#945](#945)) It's essential for SSR - fix: target.id is undefined ([#1016](#1016)) - feat: add new pageConfig configuration: enableJSDataProcessor ([#886](#886)) - refactor: move component config info to attribute ([#984](#984)) - refactor: save dataset on an attribute ([#981](#981)) On lynx, the `data-*` attributes have different behaviors than the HTMLElement has. The dataset will be treated as properties, the key will not be applied the camel-case <-> hyphenate name transformation. Before this commit we use it as a runtime data, but after this commit we will use encodeURI(JSON.stringify(dataset)) to encode it as a string. - refactor: create elements of `elementToRuntimeInfoMap` on demand ([#986](#986)) - refactor: implement mts apis in closure pattern ([#1004](#1004)) - Updated dependencies \[]: - @lynx-js/web-worker-rpc@0.13.5 ## @lynx-js/web-core@0.13.5 ### Patch Changes - refactor: move some internal status to dom's attribute ([#945](#945)) It's essential for SSR - refactor: avoid to create many style element for cssog ([#1026](#1026)) - refactor: move component config info to attribute ([#984](#984)) - fix: ensure render starts after dom connected ([#1020](#1020)) - refactor: save dataset on an attribute ([#981](#981)) On lynx, the `data-*` attributes have different behaviors than the HTMLElement has. The dataset will be treated as properties, the key will not be applied the camel-case <-> hyphenate name transformation. Before this commit we use it as a runtime data, but after this commit we will use encodeURI(JSON.stringify(dataset)) to encode it as a string. - refactor: implement mts apis in closure pattern ([#1004](#1004)) - Updated dependencies \[[`70b82d2`](70b82d2), [`5651e24`](5651e24), [`9499ea9`](9499ea9), [`50f0193`](50f0193), [`57bf0ef`](57bf0ef), [`5651e24`](5651e24), [`0525fbf`](0525fbf), [`b6b87fd`](b6b87fd), [`c014327`](c014327)]: - @lynx-js/web-mainthread-apis@0.13.5 - @lynx-js/web-constants@0.13.5 - @lynx-js/offscreen-document@0.1.1 - @lynx-js/web-worker-runtime@0.13.5 - @lynx-js/web-worker-rpc@0.13.5 ## @lynx-js/web-core-server@0.13.5 ### Patch Changes - refactor: move some internal status to dom's attribute ([#945](#945)) It's essential for SSR - refactor: move component config info to attribute ([#984](#984)) - refactor: save dataset on an attribute ([#981](#981)) On lynx, the `data-*` attributes have different behaviors than the HTMLElement has. The dataset will be treated as properties, the key will not be applied the camel-case <-> hyphenate name transformation. Before this commit we use it as a runtime data, but after this commit we will use encodeURI(JSON.stringify(dataset)) to encode it as a string. - fix: dump encode data in comment ([#989](#989)) ## @lynx-js/web-elements@0.7.5 ### Patch Changes - feat: x-input && x-textarea add new method: `getValue`, which returns the value of the input element, selectionStart and selectEnd when success. ([#982](#982)) - feat: x-input and x-textarea bindinput event return structures add `selectionStart`, `selectionEnd`, and `textLength`, `textLength` are marked as @deprecated ([#996](#996)) - feat: x-input and x-textarea support bindselection event, the returned type structure is `{ selectionStart: number; selectionEnd: number }`. ([#990](#990)) - Updated dependencies \[]: - @lynx-js/web-elements-template@0.7.5 ## @lynx-js/web-mainthread-apis@0.13.5 ### Patch Changes - refactor: move some internal status to dom's attribute ([#945](#945)) It's essential for SSR - refactor: avoid to create many style element for cssog ([#1026](#1026)) - fix: target.id is undefined ([#1016](#1016)) - feat: add new pageConfig configuration: enableJSDataProcessor ([#886](#886)) - refactor: move component config info to attribute ([#984](#984)) - refactor: save dataset on an attribute ([#981](#981)) On lynx, the `data-*` attributes have different behaviors than the HTMLElement has. The dataset will be treated as properties, the key will not be applied the camel-case <-> hyphenate name transformation. Before this commit we use it as a runtime data, but after this commit we will use encodeURI(JSON.stringify(dataset)) to encode it as a string. - refactor: create elements of `elementToRuntimeInfoMap` on demand ([#986](#986)) - refactor: implement mts apis in closure pattern ([#1004](#1004)) - Updated dependencies \[[`70b82d2`](70b82d2), [`9499ea9`](9499ea9), [`50f0193`](50f0193), [`57bf0ef`](57bf0ef), [`0525fbf`](0525fbf), [`b6b87fd`](b6b87fd), [`c014327`](c014327)]: - @lynx-js/web-constants@0.13.5 ## @lynx-js/web-worker-runtime@0.13.5 ### Patch Changes - refactor: implement mts apis in closure pattern ([#1004](#1004)) - Updated dependencies \[[`70b82d2`](70b82d2), [`5651e24`](5651e24), [`9499ea9`](9499ea9), [`50f0193`](50f0193), [`57bf0ef`](57bf0ef), [`5651e24`](5651e24), [`0525fbf`](0525fbf), [`b6b87fd`](b6b87fd), [`c014327`](c014327)]: - @lynx-js/web-mainthread-apis@0.13.5 - @lynx-js/web-constants@0.13.5 - @lynx-js/offscreen-document@0.1.1 - @lynx-js/web-worker-rpc@0.13.5 ## @lynx-js/runtime-wrapper-webpack-plugin@0.1.1 ### Patch Changes - Fix `requestAnimationFrame` is not working. ([#1021](#1021)) ## @lynx-js/template-webpack-plugin@0.7.2 ### Patch Changes - Updated dependencies \[[`ccb4254`](ccb4254)]: - @lynx-js/css-serializer@0.1.3 ## create-rspeedy@0.9.9 ## @lynx-js/react-alias-rsbuild-plugin@0.10.3 ## upgrade-rspeedy@0.9.9 ## @lynx-js/web-elements-template@0.7.5 ## @lynx-js/web-worker-rpc@0.13.5 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.