Merge commit from fork

paoloricciuti · web-flow · commit 0df5abcae223 · 2026-02-25T09:14:55.000-07:00
* fix: escape `innerText` and `textContent` bindings of `contenteditable`

* fix: better if else structure
diff --git a/.changeset/bindings-xss-fix.md b/.changeset/bindings-xss-fix.md
@@ -0,0 +1,5 @@
+---
+'svelte': patch
+---
+
+fix: escape `innerText` and `textContent` bindings of `contenteditable`
diff --git a/packages/svelte/src/compiler/phases/3-transform/server/visitors/shared/element.js b/packages/svelte/src/compiler/phases/3-transform/server/visitors/shared/element.js
@@ -123,9 +123,13 @@ export function build_element_attributes(node, context, transform) {
 
 			expression = transform(expression, attribute.metadata.expression);
 
-			if (is_content_editable_binding(attribute.name)) {
+			if (attribute.name === 'innerHTML') {
+				// innerHTML is the only binding we don't escape
 				content = expression;
-			} else if (attribute.name === 'value' && node.name === 'textarea') {
+			} else if (
+				is_content_editable_binding(attribute.name) ||
+				(attribute.name === 'value' && node.name === 'textarea')
+			) {
 				content = b.call('$.escape', expression);
 			} else if (attribute.name === 'group' && attribute.expression.type !== 'SequenceExpression') {
 				const value_attribute = /** @type {AST.Attribute | undefined} */ (
diff --git a/packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/_expected.html b/packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/_expected.html
@@ -0,0 +1 @@
+<!--[--><div contenteditable="">&lt;script>alert('pwnd')&lt;/script></div> <div contenteditable="">&lt;script>alert('pwnd')&lt;/script></div> <div contenteditable=""><script>alert('pwnd')</script></div><!--]-->
diff --git a/packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/main.svelte b/packages/svelte/tests/server-side-rendering/samples/contenteditable-bindings-escaped/main.svelte
@@ -0,0 +1,7 @@
+<script>
+	let data = $state("<scri"+"pt>alert('pwnd')</scr"+"ipt>");
+</script>
+
+<div contenteditable bind:innerText={data}></div>
+<div contenteditable bind:textContent={data}></div>
+<div contenteditable bind:innerHTML={data}></div>

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'svelte': patch
 +---
++
 +fix: escape `innerText` and `textContent` bindings of `contenteditable`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<!--[--><div contenteditable=""><script>alert('pwnd')</script></div> <div contenteditable=""><script>alert('pwnd')</script></div> <div contenteditable=""><script>alert('pwnd')</script></div><!--]-->`