fix: escape script vars (#788)

mattzcarey · web-flow · commit 70e5040329bb · 2026-01-17T16:43:48.000Z
diff --git a/examples/mcp-client/src/server.ts b/examples/mcp-client/src/server.ts
@@ -12,8 +12,9 @@ export class MyAgent extends Agent {
             status: 200
           });
         } else {
+          const safeError = JSON.stringify(result.authError || "Unknown error");
           return new Response(
-            `<script>alert('Authentication failed: ${result.authError}'); window.close();</script>`,
+            `<script>alert('Authentication failed: ' + ${safeError}); window.close();</script>`,
             {
               headers: { "content-type": "text/html" },
               status: 200
diff --git a/site/ai-playground/src/server.ts b/site/ai-playground/src/server.ts
@@ -75,8 +75,9 @@ export class Playground extends AIChatAgent<Env, PlaygroundState> {
             status: 200
           });
         }
+        const safeError = JSON.stringify(result.authError || "Unknown error");
         return new Response(
-          `<script>alert('Authentication failed: ${result.authError}'); window.close();</script>`,
+          `<script>alert('Authentication failed: ' + ${safeError}); window.close();</script>`,
           {
             headers: { "content-type": "text/html" },
             status: 200

Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,9 @@ export class Playground extends AIChatAgent<Env, PlaygroundState> {`
`75`	`75`	`status: 200`
`76`	`76`	`});`
`77`	`77`	`}`
	`78`	`+ const safeError = JSON.stringify(result.authError \|\| "Unknown error");`
`78`	`79`	`return new Response(`
`79`		- `<script>alert('Authentication failed: ${result.authError}'); window.close();</script>`,
	`80`	+ `<script>alert('Authentication failed: ' + ${safeError}); window.close();</script>`,
`80`	`81`	`{`
`81`	`82`	`headers: { "content-type": "text/html" },`
`82`	`83`	`status: 200`