Issues with new entity escaping behavior

[Conduitry]

The new entity escaping in 1.51 introduced a couple of issues:

• Compiling <div>'foo'<bar/></div> results in code that renders &##39;foo&##39;. There's obviously something going on with the sigil escaping here. Either it never gets unescaped, or it's getting escaped an additional time before getting unescaped.

• Non-top-level <style> and <script> elements (which are useful when using SSR to render an entire document) are rendered back into the document with entities escaped, which breaks a bunch of stuff.

Also an existing problem from before 1.51: Non-top-level <style> and <script> elements are parsed as though they were HTML. So e.g. something like <div><script>alert('<>')</script></div> results in a parse error because Svelte is expecting a tag name in the <>. The parser should consume until the </script> when inside a <script> tag, even if it is not a top-level one.

[Conduitry]

Also, relatedly, I think the new escapeHTML function should probably only escape &, <, and >. It's only being used to escape strings that appear as text nodes, not attributes. I think this would eliminate the first issue (since the entity for ' is the only one affected by sigil escaping), but we should still look into exactly what's happening there and address it.

[arxpoetica]

See: https://svelte.technology/repl?version=1.51.0&gist=2fabbd64d03708d6e536811387a87d5a

[TehShrike]

Only seems to happen if the characters are inside an element that isn't at the top level: https://svelte.technology/repl?version=1.51.0&gist=637056dfca497eb872db02ca231ef89d

[Conduitry]

Yeah that issue is one of the ones fixed by my PR, which has been merged and will be in the next version.

[Rich-Harris]

Just released the fix — closing