(html)
| 92 | transformIndexHtml: { |
| 93 | order: 'pre', |
| 94 | handler(html) { |
| 95 | if (!routeManifestJson) { |
| 96 | return html; |
| 97 | } |
| 98 | |
| 99 | /** |
| 100 | * XSS Prevention: JSON.stringify escapes quotes/backslashes, but we also need to escape |
| 101 | * HTML-dangerous sequences like </script> and <!-- that could break out of the script context. |
| 102 | */ |
| 103 | const safeJsonValue = escapeJsonForHtml(JSON.stringify(routeManifestJson)); |
| 104 | const script = `<script>window.${MANIFEST_GLOBAL_KEY} = ${safeJsonValue};</script>`; |
| 105 | |
| 106 | if (/<head>/i.test(html)) { |
| 107 | return html.replace(/<head>/i, match => `${match}\n ${script}`); |
| 108 | } |
| 109 | |
| 110 | if (/<html[^>]*>/i.test(html)) { |
| 111 | return html.replace(/<html[^>]*>/i, match => `${match}\n<head>${script}</head>`); |
| 112 | } |
| 113 | |
| 114 | return `<!DOCTYPE html><html><head>${script}</head><body>${html}</body></html>`; |
| 115 | }, |
| 116 | }, |
| 117 | |
| 118 | transform(code, id) { |
no test coverage detected