René's URL Explorer Experiment


Title: fix(ssr): escape bq-text values on raw-text elements in pure renderer by JosunLP · Pull Request #183 · bQuery/bQuery · GitHub

Open Graph Title: fix(ssr): escape bq-text values on raw-text elements in pure renderer by JosunLP · Pull Request #183 · bQuery/bQuery

X Title: fix(ssr): escape bq-text values on raw-text elements in pure renderer by JosunLP · Pull Request #183 · bQuery/bQuery

Description: Summary Fixes #163 (Critical). In the default pure SSR renderer, setText wrote bq-text values verbatim as text children, and serializeTree emits text inside raw-text elements (script/style/textarea/title) without escaping. An untrusted value like closed the element and injected live markup — stored XSS in the default backend on Node/Bun/Deno. Fix setText now escapes via escapeText when the target element is raw (el.raw), exactly mirroring the pre-existing bq-model reflection handling (which already named this hazard). The bq-model call site now reuses the centralized logic. Verification Regression tests for