feat: [#0] Adds support for rendering HTML strings #1944
Conversation
…o add-support-for-server-rendering-html-strings
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if (!match[7] || match[7] === 'esm') { | ||
| resolvableCircularImports.push({ url, properties }); | ||
| } | ||
| newCodeStart += `let {${properties.map((property) => (property.alias ? `"${property.name.replace(/"/g, '\\"')}": ${property.alias}` : property.name)).join(', ')}} = $happy_dom.imports.get('${url}')${match[8]}`; |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
The best way to fix the issue is to ensure that both double quotes (") and backslashes (\) in the property name are escaped when embedding a property name within double quotes in generated JavaScript code. This should be done using a regular expression replacement that first escapes backslashes and then double quotes, in that order (str.replace(/\\/g, '\\\\').replace(/"/g, '\\"')). This is necessary to prevent any special meaning or accidental termination of the quoted string in the output. The fix is limited to line 269 in packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts, within the map for property names. No new methods are needed; only the replacement logic in the string interpolation is changed, and no new imports are required.
| @@ -266,7 +266,7 @@ | ||
| if (!match[7] || match[7] === 'esm') { | ||
| resolvableCircularImports.push({ url, properties }); | ||
| } | ||
| newCodeStart += `let {${properties.map((property) => (property.alias ? `"${property.name.replace(/"/g, '\\"')}": ${property.alias}` : property.name)).join(', ')}} = $happy_dom.imports.get('${url}')${match[8]}`; | ||
| newCodeStart += `let {${properties.map((property) => (property.alias ? `"${property.name.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}": ${property.alias}` : property.name)).join(', ')}} = $happy_dom.imports.get('${url}')${match[8]}`; | ||
| } else if (importMatch[2]) { | ||
| // Import all as | ||
| newCodeStart += `const ${importMatch[2]} = $happy_dom.imports.get('${url}')${match[8]}`; |
| if (match[11]) { | ||
| newCode += match[0].replace(EXPORT_DEFAULT_REGEXP, ''); | ||
| newCodeEnd += `$happy_dom.exports.default = ${name};\n`; | ||
| } else { |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
To fix the problem, change the string .replace('*', '') to use a regex with the global flag: .replace(/\*/g, ''). This ensures that all asterisks in the string are replaced, not just the first occurrence.
- Only update the specific line in
packages/happy-dom/src/module/ECMAScriptModuleCompiler.tswherematch[14].replace('*', '')occurs (line 333). - No new imports are required, as JavaScript RegExp literals are built-in.
| @@ -330,7 +330,7 @@ | ||
| ) { | ||
| // Export function or class type | ||
|
|
||
| const name = match[14].replace('*', ''); | ||
| const name = match[14].replace(/\*/g, ''); | ||
|
|
||
| if (name) { | ||
| if (match[11]) { |
| if (exportName && importName) { | ||
| exportCode.push(`$happy_dom.exports['${exportName}'] = ${importName}`); | ||
| } | ||
| } |
Check failure
Code scanning / CodeQL
Polynomial regular expression used on uncontrolled data High
| : packageJson.exports[key].import; | ||
| if (importEntry) { | ||
| const regExp = new RegExp( | ||
| `^${key.replace('./', '').replace('.', '\\.').replace('*', '(.*)')}$` |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general, the way to fix this is to perform global replacements when escaping or transforming meta-characters, rather than replacing only the first occurrence. In JavaScript/TypeScript, that means using regular expressions with the g flag (for example, .replace(/\./g, '\\.')) instead of string literals as the first argument to replace.
For this particular code, the best minimal change is to modify the chain on line 168 so that:
.is escaped everywhere via.replace(/\./g, '\\.'), and*is converted everywhere via.replace(/\*/g, '(.*)').
The leading "./" is still stripped with .replace('./', ''), which is fine because it should only occur once at the start. We do not need any new imports or functions; we can simply adjust the existing expression inside the new RegExp(...) call. This preserves the existing behavior for simple patterns but makes it correct for keys containing multiple dots or asterisks, without changing any other functionality.
Concretely, in packages/happy-dom/src/module/ModuleURLUtility.ts, within the if (packageJson.exports) block near line 168, replace:
`^${key.replace('./', '').replace('.', '\\.').replace('*', '(.*)')}$`with:
`^${key.replace('./', '').replace(/\./g, '\\.').replace(/\*/g, '(.*)')}$`No other changes are required.
| @@ -165,7 +165,7 @@ | ||
| : packageJson.exports[key].import; | ||
| if (importEntry) { | ||
| const regExp = new RegExp( | ||
| `^${key.replace('./', '').replace('.', '\\.').replace('*', '(.*)')}$` | ||
| `^${key.replace('./', '').replace(/\./g, '\\.').replace(/\*/g, '(.*)')}$` | ||
| ); | ||
| const match = subPath.match(regExp); | ||
| if (match) { |
| ); | ||
| const match = subPath.match(regExp); | ||
| if (match) { | ||
| const resolvedSubPath = importEntry.replace('./', '').replace('*', match[1]); |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general, to fix incomplete escaping/encoding arising from String.prototype.replace with a string search pattern, the replacement should use a regular expression with the global (g) flag, or a sanitizer/helper library that correctly processes all occurrences. When replacing special characters like * or ., the regular expression must escape them so they’re treated literally.
In this specific case, we need to ensure that all * characters in importEntry are replaced with the captured subpath from match[1], not just the first one. The change is localized to the construction of resolvedSubPath on line 172. We can achieve this by changing .replace('*', match[1]) to .replace(/\*/g, match[1]), which replaces every literal * in the string. This preserves existing behavior for single-wildcard patterns and correctly handles potential multiple-wildcard patterns. No additional imports or helper functions are required, and no other lines need to change.
| @@ -169,7 +169,7 @@ | ||
| ); | ||
| const match = subPath.match(regExp); | ||
| if (match) { | ||
| const resolvedSubPath = importEntry.replace('./', '').replace('*', match[1]); | ||
| const resolvedSubPath = importEntry.replace('./', '').replace(/\*/g, match[1]); | ||
| const resolvedURL = `${baseURL}${packageName}/${resolvedSubPath}`; | ||
| this.nodeModuleResolveCache.set(url, resolvedURL); | ||
| return resolvedURL; |
No description provided.