Skip to content

refactor: v2 release #6903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1,105 commits into
base: main
Choose a base branch
from
Open

refactor: v2 release #6903

wants to merge 1,105 commits into from
+133,422 −79,790

Conversation

wmertens
Copy link
Member

@wmertens wmertens commented Sep 22, 2024
edited
Loading

This PR is for showing progress on v2, and having installable npm packages.

DO NOT MERGE

The changes are meant to be readable and maintainable, so if things are unclear please let us know.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 22, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 9849dcf

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 22, 2024
View reviewed changes
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Sep 23, 2024
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/core@6903

npm i https://pkg.pr.new/QwikDev/qwik/@qwik.dev/router@6903

npm i https://pkg.pr.new/QwikDev/qwik/eslint-plugin-qwik@6903

npm i https://pkg.pr.new/QwikDev/qwik/create-qwik@6903

commit: 9849dcf

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 23, 2024
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview 9849dcf

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 26, 2024
View reviewed changes
packages/qwik/src/core/client/vnode.ts
const insertBefore = journal[idx++] as Element | Text | null;
let newChild: any;
while (idx < length && typeof (newChild = journal[idx]) !== 'number') {
insertParent.insertBefore(newChild, insertBefore);

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
@wmertens wmertens changed the title refactor: v2 framework rewrite refactor: v2 release Oct 8, 2024
@wmertens wmertens marked this pull request as ready for review October 17, 2024 21:25
@wmertens wmertens requested review from a team as code owners October 17, 2024 21:25
This was referenced Oct 29, 2024
Closed
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 26, 2024
View reviewed changes
packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts
c.push(`\n/** Qwik Router Entries (${entries.length}) */`);
for (let i = 0; i < entries.length; i++) {
const entry = entries[i];
c.push(`export const ${entry.id} = () => import(${JSON.stringify(entry.filePath)});`);

Check warning

Code scanning / CodeQL

Improper code sanitization Medium

Code construction depends on an
improperly sanitized value
Loading
.

Copilot Autofix

AI 7 months ago

To fix the problem, we need to ensure that entry.filePath is properly sanitized before being used in the dynamically generated JavaScript code. We can achieve this by escaping potentially dangerous characters in the entry.filePath string. This can be done by implementing a function similar to escapeUnsafeChars from the example provided in the background section.

  1. Implement a function escapeUnsafeChars to escape potentially dangerous characters.
  2. Use this function to sanitize entry.filePath before including it in the generated code.
Suggested changeset 1
packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts b/packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts
--- a/packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts
+++ b/packages/qwik-router/src/buildtime/runtime-generation/generate-entries.ts
@@ -2,2 +2,20 @@
 
+function escapeUnsafeChars(str: string): string {
+  const charMap: { [key: string]: string } = {
+    '<': '\\u003C',
+    '>': '\\u003E',
+    '/': '\\u002F',
+    '\\': '\\\\',
+    '\b': '\\b',
+   '\f': '\\f',
+   '\n': '\\n',
+   '\r': '\\r',
+   '\t': '\\t',
+   '\0': '\\0',
+   '\u2028': '\\u2028',
+   '\u2029': '\\u2029'
+ };
+ return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]);
+}
+
 export function createEntries(ctx: BuildContext, c: string[]) {
@@ -25,3 +43,3 @@
     const entry = entries[i];
-    c.push(`export const ${entry.id} = () => import(${JSON.stringify(entry.filePath)});`);
+    c.push(`export const ${entry.id} = () => import(${escapeUnsafeChars(JSON.stringify(entry.filePath))});`);
   }
EOF
@@ -2,2 +2,20 @@

function escapeUnsafeChars(str: string): string {
const charMap: { [key: string]: string } = {
'<': '\\u003C',
'>': '\\u003E',
'/': '\\u002F',
'\\': '\\\\',
'\b': '\\b',
'\f': '\\f',
'\n': '\\n',
'\r': '\\r',
'\t': '\\t',
'\0': '\\0',
'\u2028': '\\u2028',
'\u2029': '\\u2029'
};
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]);
}

export function createEntries(ctx: BuildContext, c: string[]) {
@@ -25,3 +43,3 @@
const entry = entries[i];
c.push(`export const ${entry.id} = () => import(${JSON.stringify(entry.filePath)});`);
c.push(`export const ${entry.id} = () => import(${escapeUnsafeChars(JSON.stringify(entry.filePath))});`);
}
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 13, 2024
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 25, 2025
View reviewed changes
packages/qwik/src/core/client/vnode-diff.ts
}

if (key === dangerouslySetInnerHTML) {
element.innerHTML = value as string;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 18 days ago

To fix the issue, the value assigned to element.innerHTML should be sanitized using a utility function like escapeHTML to ensure that any potentially malicious content is properly escaped before being interpreted as HTML. This will prevent XSS vulnerabilities.

Steps to fix:

  1. Identify the assignment of value to element.innerHTML in the vnode_diff function.
  2. Apply the escapeHTML utility to value before assigning it to innerHTML.
  3. Ensure that the escapeHTML utility is imported and available in the file.

Required changes:

  • Modify the line where element.innerHTML is set to use escapeHTML(value as string) instead of value as string.
Suggested changeset 1
packages/qwik/src/core/client/vnode-diff.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/src/core/client/vnode-diff.ts b/packages/qwik/src/core/client/vnode-diff.ts
--- a/packages/qwik/src/core/client/vnode-diff.ts
+++ b/packages/qwik/src/core/client/vnode-diff.ts
@@ -657,3 +657,3 @@
         if (key === dangerouslySetInnerHTML) {
-          element.innerHTML = value as string;
+          element.innerHTML = escapeHTML(value as string);
           element.setAttribute(QContainerAttr, QContainerValue.HTML);
EOF
@@ -657,3 +657,3 @@
if (key === dangerouslySetInnerHTML) {
element.innerHTML = value as string;
element.innerHTML = escapeHTML(value as string);
element.setAttribute(QContainerAttr, QContainerValue.HTML);
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 15, 2025
View reviewed changes
packages/qwik/src/core/client/vnode.ts
} else if (key === 'value' && key in element) {
(element as any).value = String(value);
} else if (key === dangerouslySetInnerHTML) {
(element as any).innerHTML = value!;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
Varixo and others added 13 commits March 24, 2025 21:39
@Varixo
fix: custom event names and DOMContentLoaded handling
2c2badb
@Varixo
Merge pull request #7452 from QwikDev/v2-custom-events
f3ae77d 
fix: custom event names and DOMContentLoaded handling
@Varixo
fix: reexecute component with null key
13fec50
@Varixo
fix: diffing virtual fragment with null key
fa31110
@Varixo
Merge pull request #7456 from QwikDev/v2-null-key-component
cb4934b 
fix: reexecute component with null key
@Varixo
fix: don't execute QRLs for elements marked as deleted
6d1345f
@Varixo
fix: change implementation to vNode field on element
6e29af3
@wmertens
Merge branch 'build/v2' into v2-merge-main
4cb4cf6
@wmertens
Merge pull request #7443 from QwikDev/v2-merge-main
78c0cdd 
chore: merge main into v2
@Varixo
fix: correctly handle initial resource state
acb0328
@wmertens
Merge pull request #7469 from QwikDev/v2-resource-initial-state
1c1e311 
fix: correctly handle initial resource state
@Varixo
chore: reduce core production size
46d3d9f
@wmertens
Merge pull request #7493 from QwikDev/v2-reduce-core-size
24d9a2d 
chore: reduce core production size
Varixo and others added 30 commits June 30, 2025 19:06
@Varixo
feat: add QLOADER_KEY constant and implement loadersMiddleware
959670e
@Varixo
fix: replace string literals with constants for server timing and rou…
ad14283 
…te data properties
@Varixo
feat: add new test place
e309ed2
@Varixo
feat: don't use q:seq for routeLoader$ and allow loading client data …
5207507 
…if missing
@Varixo
feat: implement WeakObject serialization
4bc8753
@Varixo
feat: get data for single loader
6c85a6c
@Varixo @wmertens
feat: serialization weak ref
8ebd8a2 
Co-authored-by: Wout Mertens <[email protected]>
@Varixo
feat: use async computed as route loaders data
4219781
@Varixo
feat: implement serializationStrategy for route loaders
d006823
@Varixo
fix: unit tests
1ddc62d
@Varixo
chore: add changesets
b0e9c6b
@Varixo
chore: add e2e route loaders serialization test
92727a2
@Varixo
chore: organize imports
e5d49ee
@Varixo
chore: rename qloader to qloaders
7d6c937
@Varixo
feat: add documentation
ece6a14
@Varixo
chore: remove unnecessary logic as it is moved to the async computed …
1ef59e9 
…signal fn
@Varixo
fix: handle q-data fetch error
23cd290
@Varixo
feat: add retry logic for load client data
0bc9bc5
@Varixo
refactor: better selected loaders logic
1b03e9d
@Varixo
feat: global config for loader serialization strategy
b64c34a
@Varixo
refactor: change measurement name to qrl hash
b68ca81
@Varixo
fix: global default serialization docs
d8f5254
@Varixo
chore: replace direct index call in dev-server
031cc1f
@Varixo
fix: send only minimal required data for lazy loaders data
a8e2cd5
@Varixo
feat: update state and html parser
42619f9
@shairez
Merge pull request #7671 from QwikDev/changeset-release/build/v2
aa098fc
@Varixo
Merge pull request #7698 from QwikDev/v2-state-html-parser
34d6253 
feat(docs): state and html parser
@Varixo
Merge pull request #7466 from QwikDev/v2-route-loaders-serialization
e02bb88 
feat: route loaders serialization
@github-actions
Version Packages (beta)
f8f88ee
@shairez
Merge pull request #7701 from QwikDev/changeset-release/build/v2
9849dcf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
VERSION: upcoming major
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@wmertens @Varixo @shairez @JerryWu1234 @GrandSchtroumpf