Skip to content

fix: warn on bidirectional control characters, fix various issues with template expressions #15893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
May 12, 2025
Merged

fix: warn on bidirectional control characters, fix various issues with template expressions #15893

merged 18 commits into from
May 12, 2025
+153 −3

Conversation

Ocean-OS
Copy link
Contributor

Closes #6890 by warning if any bidirectional control characters are found in:

  • Any part of the source code
  • Escaped in a literal or template literal
  • A result of a partially evaluated expression

Additionally, I found and fixed a minor bug in the build_template_chunk and process_children functions where certain nullish expressions wouldn't be coallesced to an empty string. I also noticed that the partial evaluation evaluates BigInt calls, which could throw, so I fixed it. Since these are very small changes, I don't think they necessitate a separate PR.

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.
  • If this PR changes code within packages/svelte/src, add a changeset (npx changeset).

Tests and linting

  • Run the tests with pnpm test and lint the project with pnpm lint

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 11, 2025
edited
Loading

🦋 Changeset detected

Latest commit: cc7c317

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@svelte-docs-bot
Copy link

Preview: https://svelte-dev-git-preview-svelte-15893-svelte.vercel.app/

@github-actions GitHub Actions
Copy link
Contributor

Playground

pnpm add https://pkg.pr.new/svelte@15893

This was referenced May 12, 2025
Merged
Merged
@Rich-Harris
Copy link
Member

It's always a good idea to fix separate bugs in separate PRs — in particular, if there are no tests then regressions are very likely

@Rich-Harris Rich-Harris mentioned this pull request May 12, 2025
Merged
@Ocean-OS
Copy link
Contributor Author

I see, sorry for the issue. Should I remove the extra code from this PR?

@Rich-Harris
Copy link
Member

No need, the merge will take care of it!

Rich-Harris
Rich-Harris approved these changes May 12, 2025
View reviewed changes
Copy link
Member

@Rich-Harris Rich-Harris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

@Rich-Harris Rich-Harris merged commit aa041a9 into sveltejs:main May 12, 2025
9 checks passed
@github-actions github-actions bot mentioned this pull request May 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trojan Source Attack checks
2 participants
@Ocean-OS @Rich-Harris