prevent URLs in attributes being escaped

[alexnguyennz]

Changes

Issue

Adds check for server rendered URLs attributes with any & so they're not escaped. For edge cases where multiple params are needed e.g. for an API that generates OG images.

Before:
<meta name="og:image" content="https://example.com/api/og?title=hello&#38;description=somedescription">

After:
<meta name="og:image" content="https://example.com/api/og?title=hello&description=somedescription">

I think this change is safe - let me know if there's another way this should be done.

Testing

pnpm run test

And manually with minimal demo in dev and build with:

<head>
  <meta
    name="og:image"
    content={'https://example.com/api/og?title=hello&description=somedescription'}
  />
</head>

Docs

N/A

[changeset-bot]

🦋 Changeset detected

Latest commit: 3cfc4c5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[florian-lefebvre]

Not familiar with this part of the codebase, but can you for hrefs attributes as well?

[bluwy]

Do we need to escape the & in the first place? It should be fine to be used in attribute values 🤔 Seems like it's added since #1789. Perhaps @natemoo-re has some context about it.

[natemoo-re]

Do we need to escape the & in the first place? It should be fine to be used in attribute values 🤔 Seems like it's added since #1789. Perhaps @natemoo-re has some context about it.

Good question! Escaping & is best practice. Seems like Preact and Svelte escape it by default.

I'm not sure that we should hard-code the content attribute... Maybe we could check for the existence of & and then check for a URL? I'm not sure of a simple way we can determine if the & should be escaped or if it's potentially needed for a URL.

[alexnguyennz]

I'm not sure that we should hard-code the content attribute... Maybe we could check for the existence of & and then check for a URL? I'm not sure of a simple way we can determine if the & should be escaped or if it's potentially needed for a URL.

Not sure either - it's now just a general URL check (with any &) for all attributes if that works.

[bluwy]

Good question! Escaping & is best practice. Seems like Preact and Svelte escape it by default.

Thanks! It seems like they encode & as & and " as ", while we encode as & and " respectively. Perhaps we need to change how we encode this as well? Technically both should be equivalent, but maybe browsers are able to parse & better because the # is not tripping it up (?).

[ematipico]

I also think that using HTML entities is better.

[ematipico]

This PR is sitting for a while without too much activity. cc @alexnguyennz and @natemoo-re

[natemoo-re]

Thanks for the ping @ematipico! I'm okay with this solution if everyone else is.

We can follow-up with switching to & and " in another PR.

[natemoo-re]

Just blocking until we resolve the URL.canParse discrepancy.

Nothing for you to do @alexnguyennz, the maintainers just need to decide when we're updating our Node version.

[natemoo-re]

I noticed that URL.canParse was added in Node v18.17.0, but our minimum required version is still v18.14.1.

We should either implement a fallback for URL.canParse (try/catch) or wait on merging this until we bump our engines to v.18.17.0 (possibly in the next minor cc @Princesseuh)

[lilnasy]

URL.canParse uses the same internal method as the URL constructor, so a try-catch should be sufficient to unblock.

[lilnasy]

Looks great to me! It must have taken effort to find the relevant code path, thanks for the clean fix!

[natemoo-re]

Thanks for getting this over the line, @lilnasy!