From ac10659ff8d634dba9ad29345180c8ac2804e8d6 Mon Sep 17 00:00:00 2001
From: baseballyama <xydybaseball@gmail.com>
Date: Fri, 31 Mar 2023 00:21:42 +0900
Subject: [PATCH 1/4] fix escape

---
 src/runtime/internal/ssr.ts                       | 2 +-
 test/runtime/samples/attribute-escape/_config.js  | 4 ++++
 test/runtime/samples/attribute-escape/main.svelte | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 test/runtime/samples/attribute-escape/_config.js
 create mode 100644 test/runtime/samples/attribute-escape/main.svelte

diff --git a/src/runtime/internal/ssr.ts b/src/runtime/internal/ssr.ts
index e6d747dc1893..432a9b3674cd 100644
--- a/src/runtime/internal/ssr.ts
+++ b/src/runtime/internal/ssr.ts
@@ -69,7 +69,7 @@ export function merge_ssr_styles(style_attribute, style_directive) {
 	return style_object;
 }
 
-const ATTR_REGEX = /[&"]/g;
+const ATTR_REGEX = /[&"<]/g;
 const CONTENT_REGEX = /[&<]/g;
 
 /**
diff --git a/test/runtime/samples/attribute-escape/_config.js b/test/runtime/samples/attribute-escape/_config.js
new file mode 100644
index 000000000000..25313f01dc52
--- /dev/null
+++ b/test/runtime/samples/attribute-escape/_config.js
@@ -0,0 +1,4 @@
+export default {
+	html: '<textarea></textarea>',
+	ssrHtml: '<textarea>test\'"&gt;&lt;/textarea&gt;&lt;script&gt;alert(\'BIM\');&lt;/script&gt;</textarea>'
+};
diff --git a/test/runtime/samples/attribute-escape/main.svelte b/test/runtime/samples/attribute-escape/main.svelte
new file mode 100644
index 000000000000..1b1fdf62a0d4
--- /dev/null
+++ b/test/runtime/samples/attribute-escape/main.svelte
@@ -0,0 +1 @@
+<textarea value={`test'"></textarea><script>alert('BIM');</script>`} />

From aadda27bea9000fb0b5370572546bd4ec7ae5dde Mon Sep 17 00:00:00 2001
From: baseballyama <xydybaseball@gmail.com>
Date: Fri, 31 Mar 2023 01:20:30 +0900
Subject: [PATCH 2/4] now handle only textarea

---
 src/compiler/compile/render_ssr/handlers/Element.ts       | 4 ++--
 .../render_ssr/handlers/shared/get_attribute_value.ts     | 8 ++++++--
 src/runtime/internal/ssr.ts                               | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/compiler/compile/render_ssr/handlers/Element.ts b/src/compiler/compile/render_ssr/handlers/Element.ts
index d9254a7b860b..80557f429163 100644
--- a/src/compiler/compile/render_ssr/handlers/Element.ts
+++ b/src/compiler/compile/render_ssr/handlers/Element.ts
@@ -63,7 +63,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
 				const attr_name = node.namespace === namespaces.foreign ? attribute.name : fix_attribute_casing(attribute.name);
 				const name = attribute.name.toLowerCase();
 				if (name === 'value' && node.name.toLowerCase() === 'textarea') {
-					node_contents = get_attribute_value(attribute);
+					node_contents = get_attribute_value(attribute, true);
 				} else if (attribute.is_true) {
 					args.push(x`{ ${attr_name}: true }`);
 				} else if (
@@ -90,7 +90,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
 			const name = attribute.name.toLowerCase();
 			const attr_name = node.namespace === namespaces.foreign ? attribute.name : fix_attribute_casing(attribute.name);
 			if (name === 'value' && node.name.toLowerCase() === 'textarea') {
-				node_contents = get_attribute_value(attribute);
+				node_contents = get_attribute_value(attribute, true);
 			} else if (attribute.is_true) {
 				renderer.add_string(` ${attr_name}`);
 			} else if (
diff --git a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
index f431ea01db12..2c5b4ae157c8 100644
--- a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
+++ b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
@@ -16,14 +16,18 @@ export function get_class_attribute_value(attribute: Attribute): ESTreeExpressio
 	return get_attribute_value(attribute);
 }
 
-export function get_attribute_value(attribute: Attribute): ESTreeExpression {
+/**
+ * For value attribute of textarea, it will render as child node of `<textarea>` element.
+ * Therefore, we need to escape as content (not attribute).
+ */
+export function get_attribute_value(attribute: Attribute, is_textarea_value = false): ESTreeExpression {
 	if (attribute.chunks.length === 0) return x`""`;
 
 	return attribute.chunks
 		.map((chunk) => {
 			return chunk.type === 'Text'
 				? string_literal(chunk.data.replace(regex_double_quotes, '&quot;')) as ESTreeExpression
-				: x`@escape(${chunk.node}, true)`;
+				: x`@escape(${chunk.node}, ${is_textarea_value ? 'false' : 'true'})`;
 		})
 		.reduce((lhs, rhs) => x`${lhs} + ${rhs}`);
 }
diff --git a/src/runtime/internal/ssr.ts b/src/runtime/internal/ssr.ts
index 432a9b3674cd..e6d747dc1893 100644
--- a/src/runtime/internal/ssr.ts
+++ b/src/runtime/internal/ssr.ts
@@ -69,7 +69,7 @@ export function merge_ssr_styles(style_attribute, style_directive) {
 	return style_object;
 }
 
-const ATTR_REGEX = /[&"<]/g;
+const ATTR_REGEX = /[&"]/g;
 const CONTENT_REGEX = /[&<]/g;
 
 /**

From 1ed69fa0f2b54eb1a2b4931e9c4227ea7c09d720 Mon Sep 17 00:00:00 2001
From: baseballyama <xydybaseball@gmail.com>
Date: Fri, 31 Mar 2023 01:41:49 +0900
Subject: [PATCH 3/4] refactor

---
 src/compiler/compile/render_ssr/handlers/Element.ts |  4 ++--
 .../handlers/shared/get_attribute_value.ts          | 13 ++++++++-----
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/compiler/compile/render_ssr/handlers/Element.ts b/src/compiler/compile/render_ssr/handlers/Element.ts
index 80557f429163..d9254a7b860b 100644
--- a/src/compiler/compile/render_ssr/handlers/Element.ts
+++ b/src/compiler/compile/render_ssr/handlers/Element.ts
@@ -63,7 +63,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
 				const attr_name = node.namespace === namespaces.foreign ? attribute.name : fix_attribute_casing(attribute.name);
 				const name = attribute.name.toLowerCase();
 				if (name === 'value' && node.name.toLowerCase() === 'textarea') {
-					node_contents = get_attribute_value(attribute, true);
+					node_contents = get_attribute_value(attribute);
 				} else if (attribute.is_true) {
 					args.push(x`{ ${attr_name}: true }`);
 				} else if (
@@ -90,7 +90,7 @@ export default function (node: Element, renderer: Renderer, options: RenderOptio
 			const name = attribute.name.toLowerCase();
 			const attr_name = node.namespace === namespaces.foreign ? attribute.name : fix_attribute_casing(attribute.name);
 			if (name === 'value' && node.name.toLowerCase() === 'textarea') {
-				node_contents = get_attribute_value(attribute, true);
+				node_contents = get_attribute_value(attribute);
 			} else if (attribute.is_true) {
 				renderer.add_string(` ${attr_name}`);
 			} else if (
diff --git a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
index 2c5b4ae157c8..dca2cde2017f 100644
--- a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
+++ b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
@@ -16,13 +16,16 @@ export function get_class_attribute_value(attribute: Attribute): ESTreeExpressio
 	return get_attribute_value(attribute);
 }
 
-/**
- * For value attribute of textarea, it will render as child node of `<textarea>` element.
- * Therefore, we need to escape as content (not attribute).
- */
-export function get_attribute_value(attribute: Attribute, is_textarea_value = false): ESTreeExpression {
+
+export function get_attribute_value(attribute: Attribute): ESTreeExpression {
 	if (attribute.chunks.length === 0) return x`""`;
 
+	/**
+	 * For value attribute of textarea, it will render as child node of `<textarea>` element.
+	 * Therefore, we need to escape as content (not attribute).
+	 */
+	const is_textarea_value = attribute.parent.name.toLowerCase() === 'textarea' && attribute.name.toLowerCase() === 'value';
+
 	return attribute.chunks
 		.map((chunk) => {
 			return chunk.type === 'Text'

From de081e386ebfbc993a6e3dcefa1ca7716254da3c Mon Sep 17 00:00:00 2001
From: baseballyama <xydybaseball@gmail.com>
Date: Fri, 31 Mar 2023 01:50:52 +0900
Subject: [PATCH 4/4] remove empty line

---
 .../compile/render_ssr/handlers/shared/get_attribute_value.ts    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
index dca2cde2017f..1d365da673ad 100644
--- a/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
+++ b/src/compiler/compile/render_ssr/handlers/shared/get_attribute_value.ts
@@ -16,7 +16,6 @@ export function get_class_attribute_value(attribute: Attribute): ESTreeExpressio
 	return get_attribute_value(attribute);
 }
 
-
 export function get_attribute_value(attribute: Attribute): ESTreeExpression {
 	if (attribute.chunks.length === 0) return x`""`;