Merge branch 'main' into fix-cloudflare

brenelz · web-flow · commit a690646a4696 · 2026-05-05T22:49:22.000-05:00
diff --git a/.changeset/sanitize-location-header.md b/.changeset/sanitize-location-header.md
@@ -0,0 +1,5 @@
+---
+"@solidjs/start": patch
+---
+
+Sanitize Location header value in streaming redirect script
diff --git a/packages/start/src/server/handler.ts b/packages/start/src/server/handler.ts
@@ -213,7 +213,7 @@ function handleStreamCompleteRedirect(context: PageEvent) {
   return ({ write }: { write: (html: string) => void }) => {
     context.complete = true;
     const to = context.response && context.response.headers.get("Location");
-    to && write(`<script>window.location="${to}"</script>`);
+    to && write(`<script>window.location=${JSON.stringify(to).replace(/</g, "\\u003c")}</script>`);
   };
 }
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@solidjs/start": patch
 +---
++
 +Sanitize Location header value in streaming redirect script
Original file line number	Diff line number	Diff line change
`@@ -213,7 +213,7 @@ function handleStreamCompleteRedirect(context: PageEvent) {`
`213`	`213`	`return ({ write }: { write: (html: string) => void }) => {`
`214`	`214`	`context.complete = true;`
`215`	`215`	`const to = context.response && context.response.headers.get("Location");`
`216`		- to && write(`<script>window.location="${to}"</script>`);
	`216`	+ to && write(`<script>window.location=${JSON.stringify(to).replace(/</g, "\\u003c")}</script>`);
`217`	`217`	`};`
`218`	`218`	`}`
`219`	`219`