Properly escape embedded JS/JSON

Author: th0r

src/viewer.js

@@ -53,7 +53,9 @@ async function startServer(bundleStats, opts) {
       mode: 'server',
       get chartData() { return JSON.stringify(chartData) },
       defaultSizes: JSON.stringify(defaultSizes),
-      enableWebSocket: true
+      enableWebSocket: true,
+      // Helpers
+      escapeScript
     });
   });
 
@@ -131,9 +133,11 @@ async function generateReport(bundleStats, opts) {
       {
         mode: 'static',
         chartData: JSON.stringify(chartData),
-        assetContent: getAssetContent,
         defaultSizes: JSON.stringify(defaultSizes),
-        enableWebSocket: false
+        enableWebSocket: false,
+        // Helpers
+        assetContent: getAssetContent,
+        escapeScript
       },
       (err, reportHtml) => {
         try {
@@ -168,6 +172,13 @@ function getAssetContent(filename) {
   return fs.readFileSync(`${projectRoot}/public/${filename}`, 'utf8');
 }
 
+/**
+ * Escapes `<` characters in the string to safely use it in `<script>` tag.
+ */
+function escapeScript(value) {
+  return String(value).replace(/</gu, '\\u003c');
+}
+
 function getChartData(analyzerOpts, ...args) {
   let chartData;
   const {logger} = analyzerOpts;

views/script.ejs

@@ -1,7 +1,7 @@
 <% if (mode === 'static') { %>
   <!-- <%= filename %> -->
   <script>
-    <%- assetContent(filename) %>
+    <%- escapeScript(assetContent(filename)) %>
   </script>
 <% } else { %>
   <script src="/<%= filename %>"></script>

views/viewer.ejs

@@ -11,9 +11,9 @@
   <body>
     <div id="app"></div>
     <script>
-      window.chartData = <%- chartData %>;
-      window.defaultSizes = <%- defaultSizes %>;
-      window.enableWebSocket = <%- enableWebSocket %>;
+      window.chartData = <%- escapeScript(chartData) %>;
+      window.defaultSizes = <%- escapeScript(defaultSizes) %>;
+      window.enableWebSocket = <%- escapeScript(enableWebSocket) %>;
     </script>
   </body>
 </html>