'%3e%3cpath%20d='M60.1045%204.8978C55.5792%202.8214%2050.7265%201.2916%2045.6527%200.41542C45.5603%200.39851%2045.468%200.440769%2045.4204%200.525289C44.7963%201.6353%2044.105%203.0834%2043.6209%204.2216C38.1637%203.4046%2032.7345%203.4046%2027.3892%204.2216C26.905%203.0581%2026.1886%201.6353%2025.5617%200.525289C25.5141%200.443589%2025.4218%200.40133%2025.3294%200.41542C20.2584%201.2888%2015.4057%202.8186%2010.8776%204.8978C10.8384%204.9147%2010.8048%204.9429%2010.7825%204.9795C1.57795%2018.7309%20-0.943561%2032.1443%200.293408%2045.3914C0.299005%2045.4562%200.335386%2045.5182%200.385761%2045.5576C6.45866%2050.0174%2012.3413%2052.7249%2018.1147%2054.5195C18.2071%2054.5477%2018.305%2054.5139%2018.3638%2054.4378C19.7295%2052.5728%2020.9469%2050.6063%2021.9907%2048.5383C22.0523%2048.4172%2021.9935%2048.2735%2021.8676%2048.2256C19.9366%2047.4931%2018.0979%2046.6%2016.3292%2045.5858C16.1893%2045.5041%2016.1781%2045.304%2016.3068%2045.2082C16.679%2044.9293%2017.0513%2044.6391%2017.4067%2044.3461C17.471%2044.2926%2017.5606%2044.2813%2017.6362%2044.3151C29.2558%2049.6202%2041.8354%2049.6202%2053.3179%2044.3151C53.3935%2044.2785%2053.4831%2044.2898%2053.5502%2044.3433C53.9057%2044.6363%2054.2779%2044.9293%2054.6529%2045.2082C54.7816%2045.304%2054.7732%2045.5041%2054.6333%2045.5858C52.8646%2046.6197%2051.0259%2047.4931%2049.0921%2048.2228C48.9662%2048.2707%2048.9102%2048.4172%2048.9718%2048.5383C50.038%2050.6034%2051.2554%2052.5699%2052.5959%2054.435C52.6519%2054.5139%2052.7526%2054.5477%2052.845%2054.5195C58.6464%2052.7249%2064.529%2050.0174%2070.6019%2045.5576C70.6551%2045.5182%2070.6887%2045.459%2070.6943%2045.3942C72.1747%2030.0791%2068.2147%2016.7757%2060.1968%204.9823C60.1772%204.9429%2060.1437%204.9147%2060.1045%204.8978ZM23.7259%2037.3253C20.2276%2037.3253%2017.3451%2034.1136%2017.3451%2030.1693C17.3451%2026.225%2020.1717%2023.0133%2023.7259%2023.0133C27.308%2023.0133%2030.1626%2026.2532%2030.1066%2030.1693C30.1066%2034.1136%2027.28%2037.3253%2023.7259%2037.3253ZM47.3178%2037.3253C43.8196%2037.3253%2040.9371%2034.1136%2040.9371%2030.1693C40.9371%2026.225%2043.7636%2023.0133%2047.3178%2023.0133C50.9%2023.0133%2053.7545%2026.2532%2053.6986%2030.1693C53.6986%2034.1136%2050.9%2037.3253%2047.3178%2037.3253Z'%20fill='%235865F2'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0'%3e%3crect%20width='71'%20height='55'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
'%20clip-path='url(%23clipPath1075)'%3e%3cg%20transform='matrix(2.6042,0,0,2.6042,789.58,466.67)'%3e%3cpath%20d='m12%202c5.523%200%2010%204.477%2010%2010s-4.477%2010-10%2010-10-4.477-10-10h2c0%204.418%203.582%208%208%208s8-3.582%208-8-3.582-8-8-8c-2.464%200-4.668%201.114-6.135%202.865l2.135%202.135h-6v-6l2.447%202.446c1.833-2.11%204.537-3.446%207.553-3.446zm1%205v4.585l3.243%203.243-1.415%201.415-3.828-3.83v-5.413z'/%3e%3c/g%3e%3c/g%3e%3c/svg%3e){kind=small}
escapeInject
Environment: server.
The escapeInject string template tag sanitizes HTML to prevent security risks commmonly called XSS injections.
If you use a UI framework Vike extension
vike-react/vike-vue/vike-solid, then you don't need to useescapeInjectyourself asvike-react/vike-vue/vike-solidalready sanitizes its HTML.
It's usually used by the onRenderHtml() hook.
// +onRenderHtml.js
// Environment: server
export { onRenderHtml }
import { escapeInject, dangerouslySkipEscape } from 'vike/server'
async function onRenderHtml() {
const title = 'Hello<script src="https://devil.org/evil-code"></script>'
// This HTML is safe thanks to `escapeInject` which sanitizes `title`
return escapeInject`<!DOCTYPE html>
<html>
<head>
<title>${title}</title>
</head>
<body>
<!-- ... ->
</body>
</html>`
}All strings, e.g. title above, are automatically sanitized (technically speaking: HTML-escaped)
so that we can safely include untrusted strings
such as user-generated text.
The dangerouslySkipEscape(str) function injects the string str as-is without sanitizing.
We should use dangerouslySkipEscape() with a lot of caution and
only for HTML strings that are guaranteed to be already sanitized.
We usually use dangerouslySkipEscape() for including HTML generated by UI frameworks (React/Vue/...) as these are already sanitized.
If we find ourselves using dangerouslySkipEscape() in other situations, we should be extra careful as we run into the risk of creating a security breach.
HTML Fragments
We can assemble the overall HTML document from several HTML fragments. For example, if we want some HTML parts to be included only for certain pages:
// +onRenderHtml.js
// Environment: server
import { escapeInject, dangerouslySkipEscape } from 'vike/server'
import { renderToHtml } from 'some-ui-framework'
export { onRenderHtml }
async function onRenderHtml(pageContext) {
const description = pageContext.config.description
const descriptionTag = !description ?
'' :
// We use `escapeInject` for an HTML fragment
escapeInject`<meta name="description" content="${description}">`
// We use `escapeInject` again for the overall HTML
return escapeInject`<html>
<head>
${descriptionTag}
</head>
<body>
<div id="root">
${dangerouslySkipEscape(await renderToHtml(pageContext.Page))}
</div>
</body>
</html>`
}
pageContext.config.descriptionis a custom setting, see API >meta> Example:titleanddescription.
Example: