Container API: render component contains a <script> tag will leak the local file path #13487
Closed as not planned
Description
Astro Info
Astro v5.5.4
Node v22.11.0
System macOS (arm64)
Package Manager pnpm
Output server
Adapter @astrojs/node
Integrations none
If this issue only occurs in one browser, which browser is a problem?
No response
Describe the Bug
I want to render an Astro component into a string and return it to the client. When I use renderToString() for rendering, if the Astro component contains a <script> tag, Astro renders it into a string like this:
<script type="module" src="/Users/xxx/projects/test/src/components/Item.astro?astro&type=script&index=0&lang.ts"></script>This exposes my username to the client. Could an option be added, such as "ignoreScript" "delScript" or "noScript", to ignore the <script> tag and only render the HTML code and CSS styles?
Currently, I can only remove the contents of the <script> tag using regular expressions and then return the result.
Test code:
//src/pages/index.astro
---
import Item from '../components/Item.astro';
import { experimental_AstroContainer } from 'astro/container';
const container = await experimental_AstroContainer.create();
const html = await container.renderToString(Item, { props: { data: 'hello' } });
return new Response(html, { status: 200 });
---
//src/components/Item.astro
---
const {data} = Astro.props
---
<p>MODE: {import.meta.env.MODE}</p>
<p>{data}</p>
<script>console.log('hello')</script>Build and preview:
<p>MODE: production</p> <p>hello</p> <script type="module" src="/Users/xxx/projects/test/src/components/Item.astro?astro&type=script&index=0&lang.ts"></script>What's the expected result?
Remove the <script> tag or hide the local file path.
Link to Minimal Reproducible Example
https://stackblitz.com/edit/github-dqah1dbt?file=src%2Fpages%2Findex.astro
Participation
- I am willing to submit a pull request for this issue.