Moderate severityNVD Advisory· Published Jan 20, 2023· Updated Apr 2, 2025
Cross-site Scripting (XSS) - Generic in builderio/qwik
CVE-2023-0410
Description
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@builder.io/qwiknpm | < 0.16.2 | 0.16.2 |
Affected products
1- Range: unspecified
Patches
14b2f89dbbd2bfix: cleanse ssr attribute name and class value (#2475)
2 files changed · +42 −1
packages/qwik/src/core/render/ssr/render-ssr.ts+11 −1 modified@@ -544,6 +544,10 @@ const renderNode = ( classStr = attrValue; } else if (attrName === 'value' && tagName === 'textarea') { htmlStr = escapeHtml(attrValue); + } else if (isSSRUnsafeAttr(attrName)) { + if (qDev) { + logError('Attribute value is unsafe for SSR'); + } } else { openingElement += ' ' + (value === '' ? attrName : attrName + '="' + escapeAttr(attrValue) + '"'); @@ -631,7 +635,7 @@ This goes against the HTML spec: https://html.spec.whatwg.org/multipage/dom.html } if (classStr) { - openingElement += ' class="' + classStr + '"'; + openingElement += ' class="' + escapeAttr(classStr) + '"'; } if (listeners.length > 0) { @@ -1073,6 +1077,12 @@ const escapeAttr = (s: string) => { }); }; +// https://html.spec.whatwg.org/multipage/syntax.html#attributes-2 +const unsafeAttrCharRE = /[>/="'\u0009\u000a\u000c\u0020]/; // eslint-disable-line no-control-regex +export const isSSRUnsafeAttr = (name: string): boolean => { + return unsafeAttrCharRE.test(name); +}; + const listenersNeedId = (listeners: Listener[]) => { return listeners.some((l) => l[1].$captureRef$ && l[1].$captureRef$.length > 0); };
packages/qwik/src/core/render/ssr/render-ssr.unit.tsx+31 −0 modified@@ -1262,6 +1262,37 @@ renderSSRSuite('null component', async () => { `<html q:container="paused" q:version="dev" q:render="ssr-dev"><!--qv q:id=0 q:key=sX:--><!--/qv--></html>` ); }); + +renderSSRSuite('cleanse attribute name', async () => { + const o = { + '"><script>alert("ಠ~ಠ")</script>': 'xss', + }; + await testSSR( + <body {...o}></body>, + '<html q:container="paused" q:version="dev" q:render="ssr-dev"><body></body></html>' + ); +}); + +renderSSRSuite('cleanse class attribute', async () => { + const o = { + class: '"><script>alert("ಠ~ಠ")</script>', + }; + await testSSR( + <body {...o}></body>, + '<html q:container="paused" q:version="dev" q:render="ssr-dev"><body class=""><script>alert("ಠ~ಠ")</script>"></body></html>' + ); +}); + +renderSSRSuite('class emoji valid', async () => { + const o = { + class: 'package📦', + }; + await testSSR( + <body {...o}></body>, + '<html q:container="paused" q:version="dev" q:render="ssr-dev"><body class="package📦"></body></html>' + ); +}); + // TODO // Merge props on host // - host events
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.