Ignore non-VNode objects during rendering

developit · marvinhagemeister · commit ad35c4c931db · 2022-10-04T22:36:52.000+02:00
This fixes #245.
diff --git a/.changeset/curly-bananas-do.md b/.changeset/curly-bananas-do.md
@@ -0,0 +1,5 @@
+---
+'preact-render-to-string': patch
+---
+
+Fix object children being rendered as `undefined`
diff --git a/src/index.js b/src/index.js
@@ -210,6 +210,9 @@ function _renderToString(vnode, context, isSvgMode, selectValue, parent) {
 		return rendered;
 	}
 
+	// VNodes have {constructor:undefined} to prevent JSON injection:
+	if (vnode.constructor !== undefined) return '';
+
 	vnode[PARENT] = parent;
 	if (options[DIFF]) options[DIFF](vnode);
 
diff --git a/src/pretty.js b/src/pretty.js
@@ -53,6 +53,9 @@ export function _renderToStringPretty(
 		return rendered;
 	}
 
+	// VNodes have {constructor:undefined} to prevent JSON injection:
+	if (vnode.constructor !== undefined) return '';
+
 	let nodeName = vnode.type,
 		props = vnode.props,
 		isComponent = false;
diff --git a/test/jsx.test.js b/test/jsx.test.js
@@ -163,4 +163,8 @@ describe('jsx', () => {
 			<meta charset="utf-8" />
 		`);
 	});
+
+	it('should prevent JSON injection', () => {
+		expect(renderJsx(<div>{{ hello: 'world' }}</div>)).to.equal('<div></div>');
+	});
 });
diff --git a/test/pretty.test.js b/test/pretty.test.js
@@ -222,4 +222,10 @@ describe('pretty', () => {
 			</p>
 		`);
 	});
+
+	it('should prevent JSON injection', () => {
+		expect(prettyRender(<div>{{ hello: 'world' }}</div>)).to.equal(
+			'<div></div>'
+		);
+	});
 });
diff --git a/test/render.test.js b/test/render.test.js
@@ -1260,4 +1260,8 @@ describe('render', () => {
 			'<select><option selected value="2">2</option></select>'
 		);
 	});
+
+	it('should prevent JSON injection', () => {
+		expect(render(<div>{{ hello: 'world' }}</div>)).to.equal('<div></div>');
+	});
 });

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'preact-render-to-string': patch
 +---
++
 +Fix object children being rendered as `undefined`
Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,9 @@ function _renderToString(vnode, context, isSvgMode, selectValue, parent) {`
`210`	`210`	`return rendered;`
`211`	`211`	`}`
`212`	`212`
	`213`	`+ // VNodes have {constructor:undefined} to prevent JSON injection:`
	`214`	`+ if (vnode.constructor !== undefined) return '';`
	`215`	`+`
`213`	`216`	`vnode[PARENT] = parent;`
`214`	`217`	`if (options[DIFF]) options[DIFF](vnode);`
`215`	`218`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ export function _renderToStringPretty(`
`53`	`53`	`return rendered;`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ // VNodes have {constructor:undefined} to prevent JSON injection:`
	`57`	`+ if (vnode.constructor !== undefined) return '';`
	`58`	`+`
`56`	`59`	`let nodeName = vnode.type,`
`57`	`60`	`props = vnode.props,`
`58`	`61`	`isComponent = false;`