Bugfix/audit 31 05 2026#31
Merged
Merged
Conversation
Sanitize RouterLink and SSR output, fix the htm parser, reactive-child ordering/disposal, router/scheduler/data correctness, and assorted memory leaks. Adds SSR request-scoped query cache, infiniteQuery maxPages, and mutation cancellation. See CHANGELOG for details.
… URL control-char guards into shared tested helpers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Consolidates three security guards that had been re-implemented (and had drifted apart) across the codebase into single, shared, individually-tested helpers, so the same class of bug can't reappear in one code path while another stays fixed.
src/utils/guards.ts(new) —isUnsafeKey()/stripUnsafeKeys()for prototype-pollution keys (__proto__/constructor/prototype). Replaces 5 hand-rolled copies inglobalStore,machine,persist,dragDrop, androuterSSR.src/utils/sanitize.ts—isEventHandlerAttr()unifies 6 divergenton*-handler checks (some strict, some loose) into the spec-accurate rule;stripControlChars()replaces 4 inline copies of the URL control-character strip used bysanitizeUrl, the router'sisSafeNavigationTarget, and the SSR/head meta-refresh guards.tests/guards.test.ts(9 adversarial cases) hitting the shared guards directly.No public API changes. One minor behavior note: the previously-loose
on*sites now use the strict rule, so a non-handler attribute likeon-foois no longer blocked (harmless —setAttributedoesn't execute it; realon*handlers are still refused).Related Issue
Closes #
Type of Change
Checklist