fix: avoid user content to be used as string params (close #727)

meteorlxy · meteorlxy · commit 788afdab56e4 · 2022-03-01T22:04:50.000+08:00
diff --git a/packages/@vuepress/bundler-vite/src/build/renderPage.ts b/packages/@vuepress/bundler-vite/src/build/renderPage.ts
@@ -75,7 +75,11 @@ export const renderPage = async ({
       '<!--vuepress-ssr-styles-->',
       renderPageStyles({ app, outputCssAsset })
     )
-    .replace('<!--vuepress-ssr-app-->', pageRendered)
+    // page content
+    // notice that some special chars in string like `$&` would be recognized by `replace()`,
+    // and they won't be html-escaped and will be kept as is when they are inside a code block,
+    // so we use a replace function as the second param to avoid those potential issues
+    .replace('<!--vuepress-ssr-app-->', () => pageRendered)
     // page scripts
     .replace(
       '<!--vuepress-ssr-scripts-->',
diff --git a/packages/@vuepress/bundler-webpack/src/build/renderPage.ts b/packages/@vuepress/bundler-webpack/src/build/renderPage.ts
@@ -94,7 +94,11 @@ export const renderPage = async ({
       '<!--vuepress-ssr-styles-->',
       renderPageStyles({ app, initialFilesMeta, pageClientFilesMeta })
     )
-    .replace('<!--vuepress-ssr-app-->', pageRendered)
+    // page content
+    // notice that some special chars in string like `$&` would be recognized by `replace()`,
+    // and they won't be html-escaped and will be kept as is when they are inside a code block,
+    // so we use a replace function as the second param to avoid those potential issues
+    .replace('<!--vuepress-ssr-app-->', () => pageRendered)
     // page scripts
     .replace(
       '<!--vuepress-ssr-scripts-->',
