vite 6 breaks ability to using special chars in html tags attrs

[brokenmass]

Describe the bug

when using ejs tags (like html: {cspNonce: '<%= nonce _%>'}, or experimental: { renderBuiltUrl(filename) {return <%= somePath %>/${filename};}})) , or URLS that contains multiple query strings parameters http:host.com/url?query=123&limit=100, in any html tag attribute, the ", ', &, <, and >. are escaped and so the output html is no longer correct.

(the typical use case for the ejs approach is to have express render the built html page and populate those template variables at runtime).

The bug is not present in vite 5 and was introduced by #18067 , to fix issue #18040.
The issue seems to me to have no actual foundation (cause if some malicious function is able to inject a tag, escaping attrs is pretty much useless as code can be injected in much easier ways anyway) and the fix mangle every attrs that use the above special character.

Reverting the PR resolves the problem.

Reproduction

n/a

Steps to reproduce

No response

System Info

n/a

Used Package Manager

npm

Logs

No response

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[github-actions]

Hello @brokenmass. Please provide a minimal reproduction using a GitHub repository or StackBlitz. Issues marked with needs reproduction will be closed if they have no activity within 3 days.

[hi-ogawa]

The use case seems legitimate, but it would be nice to have a reproduction. I'm not sure what you mean by the last one about "URLS that contains multiple query strings".

[terry-au]

@hi-ogawa I'm also encountering this problem. Here's an excerpt of the plugin we're using:

const entrypointPlugin: Plugin = {
  name: 'entrypoint-plugin',
  apply: 'build',
  enforce: 'pre',
  config(config): UserConfig {
    return {
      experimental: {
        renderBuiltUrl: (filename, { hostType }) => {
          if (hostType === 'html') {
            return `<%= cdn.baseUrl %>/${filename}`;
          }
          return undefined;
        },
      },
    };
  },
};

Vite 5:

<script type="module" crossorigin src="<%= cdn.baseUrl %>/assets/index-yAKNFxux.js"></script>

Vite 6:

<script type="module" crossorigin src="&lt;%= cdn.baseUrl %&gt;/assets/index-yAKNFxux.js"></script>

[brokenmass]

The use case seems legitimate, but it would be nice to have a reproduction. I'm not sure what you mean by the last one about "URLS that contains multiple query strings".

Link : https://stackblitz.com/edit/vitejs-vite-taxulw

vite.config.ts

import { defineConfig } from 'vite';

export default defineConfig({
  html: {
    cspNonce: '<%= cspNonce %>',
  },
  experimental: {
    renderBuiltUrl: (filename, { hostType }) => {
      if (hostType === 'html') {
        return `<%= cdn.baseUrl %>/${filename}`;
      }
      return undefined;
    },
  },
  plugins: [
    {
      name: 'inject-tag',
      enforce: 'post',
      transformIndexHtml: () => {
        return [
          {
            tag: 'image',
            injectTo: 'body',
            attrs: {
              src: 'https://placehold.co/600x400?text=Hello+World&font=Oswald',
            },
          },
        ];
      },
    },
  ],
});

run the command npm install && npm run preview

with vite 5

<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Vite App</title>
    <meta property="csp-nonce" nonce="<%= cspNonce %>">
    <script type="module" crossorigin src="<%= cdn.baseUrl %>/assets/index-MQ_MSdzi.js" nonce="<%= cspNonce %>"></script>
    <link rel="stylesheet" crossorigin href="<%= cdn.baseUrl %>/assets/index-DRNMkqs8.css" nonce="<%= cspNonce %>">
  </head>
  <body>
    <div id="app"></div>
    <image src="https://placehold.co/600x400?text=Hello+World&font=Oswald"></image>
  </body>
</html>

with vite 6

<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Vite App</title>
    <meta property="csp-nonce" nonce="&lt;%= cspNonce %&gt;">
    <script type="module" crossorigin src="&lt;%= cdn.baseUrl %&gt;/assets/index-MQ_MSdzi.js" nonce="<%= cspNonce %>"></script>
    <link rel="stylesheet" crossorigin href="&lt;%= cdn.baseUrl %&gt;/assets/index-DRNMkqs8.css" nonce="<%= cspNonce %>">
  </head>
  <body>
    <div id="app"></div>
    <image src="https://placehold.co/600x400?text=Hello+World&amp;font=Oswald"></image>
  </body>
</html>

notice how in the second output the special characters <, > and & have been converted to their html escaped versions (<, &gt and & respectively).

the URLS that contains multiple query strings parameters issue is highlighted bythe injected placeholder image. multiple query string parameters are concatenated with & that in vite 6 gets escaped. Buy that's actually not a real issue as the browser seems to interpret that correctly.

Seems like this should be quite a relevant issue, no ?

[bluwy]

For me, this feels more of an intentional breaking change (that we didn't intend to be very breaking but should've mentioned in the migration guide anyways) than a bug. Vite couldn't tell that you're specifying a string as a placeholder that shouldn't be escaped. And escaping would've been the safer default.

I think it should be possible to migrate / adapt by using URL-safe characters instead? Or is using the specific <%= syntax required?

[brokenmass]

For me, this feels more of an intentional breaking change (that we didn't intend to be very breaking but should've mentioned in the migration guide anyways) than a bug.
Vite couldn't tell that you're specifying a string as a placeholder that shouldn't be escaped. And escaping would've been the safer default.

Yes i get your point, but HTML-Escaping attributes in a build tools does not seem the standard behaviour, and is definitely an unexpected one.
The output of the compilation does not have to be fully valid html as there might be some other task or services that parse/transform the html before serving it.

I think it should be possible to migrate / adapt by using URL-safe characters instead? Or is using the specific <%= syntax required?

Sure i think it's possible to use custom delimiter or move to a different template engine, like pug. but would avoid it if possible.

As a solution, if you do not want to revert the pr, you could allow an option to opt out of this defensive behaviour

[sapphi-red]

While we escape " / ' / & / < / > now, I guess we only need to escape & and " because we know that the value will be used as an attribute with double quotes.

[terry-au]

Maybe we should consider letting renderBuiltUrl return its string output unmodified, since its purpose is to provide precise control over asset paths. As an alternative, we could explore adding an option to skip string escaping by returning:

{
  rawUrl: `<%= cdn.baseUrl %>/${filename}`,
}

[brokenmass]

While we escape " / ' / & / < / > now, I guess we only need to escape & and " because we know that the value will be used as an attribute with double quotes.

Yes, just html-escaping the double quotes should be enough. Why also the & ?
But again what’s the requirement here ? Protect from self code injection ? Seems like a solution to a non-problem, and even partial one as then you should escape the tag name too, and probably many other locations.

[brokenmass]

bump

[sapphi-red]

Why also the & ?

Because otherwise the output will be partially escaped. For example, &quote;" will be &quote;&quote; and the consumer cannot know if &quote; should be read as " or &quote;. If & is escaped, it will be &quote;&quote; and the consumer can know it is &quote;".

what’s the requirement here ?

To generate a valid HTML when a user returned an array from transformIndexHtml hook.
For example, when the following hook is used:

transformIndexHtml: () => {
  return [
    {
      tag: 'div',
      injectTo: 'body',
      attrs: {
        "data-foo": '"foo',
      },
    },
  ];
},

[brokenmass]

what’s the requirement here ?

To generate a valid HTML when a user returned an array from transformIndexHtml hook. For example, when the following hook is used:

sure but why should that be vite responsibility, why should it be vite requirement ?
There’s an option to inject tags, if the user want, then they can escape the attributes themselves; otherwise the build tool should just “trust” that the user knows what they are doing and leave it unmodified.

Actually this change break the build for everyone already escaping their injected attrs.

Remember this is not an externally defined input that can be hijacked, it’s a build instruction. And, I mean, it has been like this for years in vite and in every other tools before vite, like webpack.
Being defensive ONLY in the tag attributes makes very little sense cause if you want to protect the user from every invalid html then you should escape stuff everywhere (in your example you should escape the tag field too), and possibly even validate/rewrite the input index.html.

Escaping just the double quote to avoid escaping the attr by mistake seems the most reasonable approach to me.if the contents already contains & those should not be escaped (cause maybe the user already escaped the value) and leaving it unescaped does not break anything.

who’s going to take the final decision if this escaping is going to be reverted or not ? Any ETA ?

[brokenmass]

@hi-ogawa would be nice to know what's the decision on this, as if the mentioned pr is not going to be reverted we need to find an alternative fix.

[tsotimus]

Any movement on this? Just to add another use case which is mentioned above.

Inserting a Content Security Policy via transformIndexHtml is outputting some funky stuff - which I would argue is more important than the body examples given above.

To generate a valid HTML when a user returned an array from transformIndexHtml hook.

If this is the goal, the second example below is more valid than the first id argue

Why are we escaping these tags? I agree with @brokenmass here, I think this is Vite is overstepping here

// Inside dist/index.html with Vite 6
<meta http-equiv="Content-Security-Policy" content=" default-src &#39;self&#39;; img-src &#39;self&#39; data:; script-src-elem &#39;self&#39;; style-src-elem &#39;self&#39;; base-uri &#39;self&#39;; worker-src * blob:; font-src &#39;self&#39;;">

// What it should be and what the browser interprets the above as
<meta http-equiv="Content-Security-Policy" content=" default-src 'self'; img-src 'self' data:; script-src-elem 'self'; style-src-elem 'self'; base-uri 'self'; worker-src * blob:; font-src 'self';">

Run npm run build and npm run preview on this StackBlitz to see this for yourself.

[brokenmass]

@hi-ogawa any update ?