Skip to content

fix(ssr): preloading fixes and tweaks #7506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 9, 2025
Merged

fix(ssr): preloading fixes and tweaks #7506

merged 5 commits into from
Apr 9, 2025

Conversation

wmertens
Copy link
Member

@wmertens wmertens commented Apr 9, 2025

No description provided.

wmertens added 3 commits April 9, 2025 14:22
@wmertens
fix(ssr): reset factor when needed
e77d8c5
@wmertens
perf(preload): refactor bundlegraph fetch
b055c8f 
- use json again because overall it takes less time to parse
- don't preload so that the critical bundles have precedence
- don't exclude preloader from critical bundles
@wmertens
fix(ssr): don't include qwikloader twice
ca62d60
@wmertens wmertens requested review from a team as code owners April 9, 2025 17:36
@wmertens wmertens enabled auto-merge April 9, 2025 17:36
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 9, 2025
edited
Loading

🦋 Changeset detected

Latest commit: d9446cf

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2025
View reviewed changes
packages/qwik/src/server/prefetch-implementation.ts
@@ -88,16 +81,21 @@
opts.push(`Q:${minPreloadProbability}`);
}
const optsStr = opts.length ? `,{${opts.join(',')}}` : '';
const script = `let b=fetch("${base}q-bundle-graph-${manifestHash}.json");import("${base}${preloadChunk}").then(({l,p})=>{l(${JSON.stringify(base)},b${optsStr});p(${JSON.stringify(referencedBundles)});})`;

Check warning

Code scanning / CodeQL

Improper code sanitization Medium

Code construction depends on an
improperly sanitized value
Loading
.

Copilot Autofix

AI about 2 months ago

To fix the problem, we need to ensure that the referencedBundles array is properly sanitized before being included in the JavaScript code. We can achieve this by escaping potentially dangerous characters in each string within the referencedBundles array. This can be done by creating a utility function to escape unsafe characters and applying it to each element of the array before passing it to JSON.stringify.

  • Create a utility function escapeUnsafeChars to escape potentially dangerous characters.
  • Apply this function to each element of the referencedBundles array before passing it to JSON.stringify.
  • Update the relevant lines in the includePreloader function to use the sanitized array.
Suggested changeset 1
packages/qwik/src/server/prefetch-implementation.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/qwik/src/server/prefetch-implementation.ts b/packages/qwik/src/server/prefetch-implementation.ts
--- a/packages/qwik/src/server/prefetch-implementation.ts
+++ b/packages/qwik/src/server/prefetch-implementation.ts
@@ -83,3 +83,4 @@
     const optsStr = opts.length ? `,{${opts.join(',')}}` : '';
-    const script = `let b=fetch("${base}q-bundle-graph-${manifestHash}.json");import("${base}${preloadChunk}").then(({l,p})=>{l(${JSON.stringify(base)},b${optsStr});p(${JSON.stringify(referencedBundles)});})`;
+    const sanitizedBundles = referencedBundles.map(bundle => escapeUnsafeChars(bundle));
+    const script = `let b=fetch("${base}q-bundle-graph-${manifestHash}.json");import("${base}${preloadChunk}").then(({l,p})=>{l(${JSON.stringify(base)},b${optsStr});p(${JSON.stringify(sanitizedBundles)});})`;
     /**
@@ -128 +129,19 @@
 };
+
+function escapeUnsafeChars(str: string): string {
+  const charMap: { [key: string]: string } = {
+    '<': '\\u003C',
+    '>': '\\u003E',
+    '/': '\\u002F',
+    '\\': '\\\\',
+    '\b': '\\b',
+    '\f': '\\f',
+    '\n': '\\n',
+    '\r': '\\r',
+    '\t': '\\t',
+    '\0': '\\0',
+    '\u2028': '\\u2028',
+    '\u2029': '\\u2029'
+  };
+  return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]);
+}
EOF
@@ -83,3 +83,4 @@
const optsStr = opts.length ? `,{${opts.join(',')}}` : '';
const script = `let b=fetch("${base}q-bundle-graph-${manifestHash}.json");import("${base}${preloadChunk}").then(({l,p})=>{l(${JSON.stringify(base)},b${optsStr});p(${JSON.stringify(referencedBundles)});})`;
const sanitizedBundles = referencedBundles.map(bundle => escapeUnsafeChars(bundle));
const script = `let b=fetch("${base}q-bundle-graph-${manifestHash}.json");import("${base}${preloadChunk}").then(({l,p})=>{l(${JSON.stringify(base)},b${optsStr});p(${JSON.stringify(sanitizedBundles)});})`;
/**
@@ -128 +129,19 @@
};

function escapeUnsafeChars(str: string): string {
const charMap: { [key: string]: string } = {
'<': '\\u003C',
'>': '\\u003E',
'/': '\\u002F',
'\\': '\\\\',
'\b': '\\b',
'\f': '\\f',
'\n': '\\n',
'\r': '\\r',
'\t': '\\t',
'\0': '\\0',
'\u2028': '\\u2028',
'\u2029': '\\u2029'
};
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, x => charMap[x]);
}
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 9, 2025
edited
Loading

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name Status Preview Last Commit
qwik-docs ✅ Ready (View Log) Visit Preview 9712be5

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Apr 9, 2025

Open in StackBlitz

npm i https://pkg.pr.new/@builder.io/qwik@7506

npm i https://pkg.pr.new/@builder.io/qwik-city@7506

npm i https://pkg.pr.new/eslint-plugin-qwik@7506

npm i https://pkg.pr.new/create-qwik@7506

commit: f26a942

shairez
shairez approved these changes Apr 9, 2025
View reviewed changes
Copy link
Contributor

@shairez shairez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 🙏

@wmertens wmertens merged commit 23ed7db into main Apr 9, 2025
16 checks passed
@wmertens wmertens deleted the fix-preload-ssr branch April 9, 2025 21:36
@github-actions github-actions bot mentioned this pull request Apr 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shairez shairez shairez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wmertens @shairez