Skip to content

fix: encode vnode metadata keys#8866

Merged
Varixo merged 1 commit into
mainfrom
codex/fix-xss-vulnerability-in-vnode-serialization
Jul 18, 2026
Merged

fix: encode vnode metadata keys#8866
Varixo merged 1 commit into
mainfrom
codex/fix-xss-vulnerability-in-vnode-serialization

Conversation

@Varixo

@Varixo Varixo commented Jul 18, 2026

Copy link
Copy Markdown
Member

Motivation

  • Prevent SSR XSS where attacker-controlled slot/property names can terminate <script type="qwik/vnode"> blocks because keys were written without HTML/script-safe escaping.
  • The change restores a safe round-trip encoding/decoding for vnode metadata keys so Out-Of-Order Suspense streaming (OOOS) cannot emit raw </script> sequences from public slot names.

Description

  • Encode vnode metadata keys on the server by applying encodeVNodeDataKey() then encodeVNodeDataString() before writing into qwik/vnode script content (change in packages/qwik/src/server/ssr-container.ts).
  • Decode encoded vnode metadata keys on the client by using decodeURIComponent(decodeVNodeDataString(...)) during VNode materialization (change in packages/qwik/src/core/client/vnode-utils.ts).
  • Add focused regression tests that assert a </script><script>... payload is not emitted raw and that encoded custom keys decode back on the client (changes in packages/qwik/src/server/ssr-container.spec.ts and packages/qwik/src/core/client/vnode.unit.tsx).
  • Add a patch changeset for @qwik.dev/core describing the fix (.changeset/secure-vnode-slot-names.md).

Testing

  • Built local dev artifacts with pnpm build.core.dev which completed successfully.
  • Ran focused unit tests with pnpm vitest run packages/qwik/src/server/ssr-container.spec.ts packages/qwik/src/core/client/vnode.unit.tsx --config vitest.config.ts --reporter=dot and the two modified test files passed (all tests in those files passed).

Codex Task

@Varixo
Varixo requested a review from a team as a code owner July 18, 2026 10:41
@Varixo Varixo added the codex label Jul 18, 2026
@changeset-bot

changeset-bot Bot commented Jul 18, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: e0b6229

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@qwik.dev/core Patch
eslint-plugin-qwik Patch
@qwik.dev/react Patch
@qwik.dev/router Patch
create-qwik Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@maiieul maiieul moved this to Waiting For Review in Qwik Development Jul 18, 2026
@pkg-pr-new

pkg-pr-new Bot commented Jul 18, 2026

Copy link
Copy Markdown

Open in StackBlitz

@qwik.dev/core

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/core@8866

@qwik.dev/router

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/router@8866

eslint-plugin-qwik

npm i https://pkg.pr.new/QwikDev/qwik/eslint-plugin-qwik@8866

create-qwik

npm i https://pkg.pr.new/QwikDev/qwik/create-qwik@8866

@qwik.dev/optimizer

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/optimizer@8866

@qwik.dev/devtools

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/devtools@8866

commit: e0b6229

@github-actions

github-actions Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor
built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview e0b6229

@Varixo
Varixo merged commit d54b5d4 into main Jul 18, 2026
49 checks passed
@Varixo
Varixo deleted the codex/fix-xss-vulnerability-in-vnode-serialization branch July 18, 2026 10:51
@github-project-automation github-project-automation Bot moved this from Waiting For Review to Done in Qwik Development Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants