preactjs
fix: escape a single quote
Hi,
Firstly, thank you for the great project.
In this PR, I've implemented the escaping of a single quote (0x27) to '. This modification will prevent the potential execution of scripts, as illustrated below:
const value = "alert('bar!')";
return <div onMouseOver={value}>foo</div>;
🦋 Changeset detected
Latest commit: 345fcc7ba96a0bfd67a4172a4b2f55f15834a871
The changes in this PR will be included in the next version bump.
This PR includes changesets to release 1 package
| Name | Type |
|---|---|
| preact-render-to-string | Major |
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
FYI: This is a breaking change. A a good chunk of users from the Fresh framework depend on this working.
Hi @marvinhagemeister,
I'm aware that Preact is used for Fresh, and I a fan of it. Indeed, this change introduces a breaking change that could have a significant impact. I believe it would be best to include this change when this package is released with a major version upgrade.