Skip to content

Commit 87cd4e5

Browse files
committed
fix(landing): escape </script> breakout in the static public-env script
Greptile P1: a NEXT_PUBLIC_* value containing "</script>" would close the inline script early and could inject markup/script into every hosted page. Escape "<" in the serialized JSON before interpolating it, matching the standard JSON-in-script-tag safeguard.
1 parent e5cf45e commit 87cd4e5

1 file changed

Lines changed: 5 additions & 1 deletion

File tree

apps/sim/app/_shell/public-env-script.tsx

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,17 @@ const HOSTED_PUBLIC_ENV = Object.fromEntries(
1919
* for self-hosted Docker images that re-inject env per deploy without a
2020
* rebuild. On hosted, env is fixed per build, so this is safe to render
2121
* statically alongside the marketing pages' `revalidate`.
22+
*
23+
* Escapes `<` in the serialized JSON so an env value containing `</script>`
24+
* can't close this tag early and inject markup into every hosted page.
2225
*/
2326
export function PublicEnvScript() {
27+
const serialized = JSON.stringify(HOSTED_PUBLIC_ENV).replace(/</g, '\\u003c')
2428
return (
2529
<script
2630
id='public-env'
2731
dangerouslySetInnerHTML={{
28-
__html: `window['${PUBLIC_ENV_KEY}'] = ${JSON.stringify(HOSTED_PUBLIC_ENV)}`,
32+
__html: `window['${PUBLIC_ENV_KEY}'] = ${serialized}`,
2933
}}
3034
/>
3135
)

0 commit comments

Comments
 (0)