From c8b232f4316d4a8a4b91d8627d689a64a8e515e9 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Thu, 15 Dec 2016 10:55:39 -0500
Subject: [PATCH] implement triples in SSR compiler, and escape HTML for
 regular tags

---
 src/server-side-rendering/compile.js            | 17 +++++++++++++++++
 .../dynamic-text-escaped/_actual.html           |  1 +
 .../dynamic-text-escaped/_expected.html         |  1 +
 .../dynamic-text-escaped/data.json              |  3 +++
 .../dynamic-text-escaped/main.html              |  1 +
 test/server-side-rendering/triple/_actual.html  |  1 +
 .../server-side-rendering/triple/_expected.html |  1 +
 test/server-side-rendering/triple/main.html     | 11 +++++++++++
 8 files changed, 36 insertions(+)
 create mode 100644 test/server-side-rendering/dynamic-text-escaped/_actual.html
 create mode 100644 test/server-side-rendering/dynamic-text-escaped/_expected.html
 create mode 100644 test/server-side-rendering/dynamic-text-escaped/data.json
 create mode 100644 test/server-side-rendering/dynamic-text-escaped/main.html
 create mode 100644 test/server-side-rendering/triple/_actual.html
 create mode 100644 test/server-side-rendering/triple/_expected.html
 create mode 100644 test/server-side-rendering/triple/main.html

diff --git a/src/server-side-rendering/compile.js b/src/server-side-rendering/compile.js
index 47ccae587a..e34156745a 100644
--- a/src/server-side-rendering/compile.js
+++ b/src/server-side-rendering/compile.js
@@ -219,6 +219,11 @@ export default function compile ( parsed, source, { filename }) {
 		},
 
 		MustacheTag ( node ) {
+			const { snippet } = contextualise( node.expression ); // TODO use snippet, for sourcemap support
+			return '${__escape( String( ' + snippet + ') )}';
+		},
+
+		RawMustacheTag ( node ) {
 			const { snippet } = contextualise( node.expression ); // TODO use snippet, for sourcemap support
 			return '${' + snippet + '}';
 		},
@@ -381,6 +386,18 @@ export default function compile ( parsed, source, { filename }) {
 		exports.renderCss = function () {
 			${renderCssStatements.join( '\n\n' )}
 		};
+
+		var escaped = {
+			'"': '&quot;',
+			"'": '&39;',
+			'&': '&amp;',
+			'<': '&lt;',
+			'>': '&gt;'
+		};
+
+		function __escape ( html ) {
+			return html.replace( /["'&<>]/g, match => escaped[ match ] );
+		}
 	` );
 
 	const rendered = topLevelStatements.join( '\n\n' );
diff --git a/test/server-side-rendering/dynamic-text-escaped/_actual.html b/test/server-side-rendering/dynamic-text-escaped/_actual.html
new file mode 100644
index 0000000000..467e5de3d1
--- /dev/null
+++ b/test/server-side-rendering/dynamic-text-escaped/_actual.html
@@ -0,0 +1 @@
+&lt;p&gt;this should be &lt;em&gt;escaped&lt;/em&gt; &amp; so should &39;this&39;&lt;/p&gt;
\ No newline at end of file
diff --git a/test/server-side-rendering/dynamic-text-escaped/_expected.html b/test/server-side-rendering/dynamic-text-escaped/_expected.html
new file mode 100644
index 0000000000..080992cfd2
--- /dev/null
+++ b/test/server-side-rendering/dynamic-text-escaped/_expected.html
@@ -0,0 +1 @@
+&lt;p&gt;this should be &lt;em&gt;escaped&lt;/em&gt; &amp; so should &39;this&39;&lt;/p&gt;
diff --git a/test/server-side-rendering/dynamic-text-escaped/data.json b/test/server-side-rendering/dynamic-text-escaped/data.json
new file mode 100644
index 0000000000..ece574c8bd
--- /dev/null
+++ b/test/server-side-rendering/dynamic-text-escaped/data.json
@@ -0,0 +1,3 @@
+{
+	"foo": "<p>this should be <em>escaped</em> & so should 'this'</p>"
+}
diff --git a/test/server-side-rendering/dynamic-text-escaped/main.html b/test/server-side-rendering/dynamic-text-escaped/main.html
new file mode 100644
index 0000000000..054e96cb81
--- /dev/null
+++ b/test/server-side-rendering/dynamic-text-escaped/main.html
@@ -0,0 +1 @@
+{{foo}}
diff --git a/test/server-side-rendering/triple/_actual.html b/test/server-side-rendering/triple/_actual.html
new file mode 100644
index 0000000000..924d26dd6a
--- /dev/null
+++ b/test/server-side-rendering/triple/_actual.html
@@ -0,0 +1 @@
+<div><p>html</p></div>
\ No newline at end of file
diff --git a/test/server-side-rendering/triple/_expected.html b/test/server-side-rendering/triple/_expected.html
new file mode 100644
index 0000000000..138c8a30cd
--- /dev/null
+++ b/test/server-side-rendering/triple/_expected.html
@@ -0,0 +1 @@
+<div><p>html</p></div>
diff --git a/test/server-side-rendering/triple/main.html b/test/server-side-rendering/triple/main.html
new file mode 100644
index 0000000000..80be85ccdc
--- /dev/null
+++ b/test/server-side-rendering/triple/main.html
@@ -0,0 +1,11 @@
+<div>{{{triple}}}</div>
+
+<script>
+	export default {
+		data () {
+			return {
+				triple: '<p>html</p>'
+			};
+		}
+	};
+</script>