cloudflare · LukePercy · Apr 2, 2026 · ask-bonk · Apr 3, 2026 · ask-bonk
diff --git a/.github/workflows/nextjs-tracker.yml b/.github/workflows/nextjs-tracker.yml
@@ -39,8 +39,9 @@ jobs:
         id: commits
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SINCE_HOURS: ${{ github.event.inputs.since_hours || '24' }}
         run: |
-          HOURS="${{ github.event.inputs.since_hours || '24' }}"
+          HOURS="$SINCE_HOURS"
           SINCE=$(date -u -d "${HOURS} hours ago" +%Y-%m-%dT%H:%M:%SZ)
 
           echo "Fetching Next.js canary commits since $SINCE"
@@ -70,8 +71,10 @@ jobs:
       - name: Build tracker prompt
         id: build_prompt
         if: steps.commits.outputs.has_commits == 'true'
+        env:
+          DRY_RUN_INPUT: ${{ github.event.inputs.dry_run || 'false' }}
         run: |
-          DRY_RUN="${{ github.event.inputs.dry_run || 'false' }}"
+          DRY_RUN="$DRY_RUN_INPUT"
           COMMITS=$(cat /tmp/nextjs-commits.json)
 
           if [ "$DRY_RUN" = "true" ]; then
@@ -134,4 +137,6 @@ jobs:
 
       - name: Skip (no commits)
         if: steps.commits.outputs.has_commits == 'false'
-        run: echo "No Next.js canary commits in the last ${{ github.event.inputs.since_hours || '24' }} hours. Nothing to do."
+        env:
+          SINCE_HOURS: ${{ github.event.inputs.since_hours || '24' }}
+        run: echo "No Next.js canary commits in the last $SINCE_HOURS hours. Nothing to do."
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -44,13 +44,15 @@ jobs:
       - name: Bump version
         id: version
         working-directory: packages/vinext
+        env:
+          BUMP: ${{ inputs.bump }}
         run: |
           # vp wraps package-manager subcommands, but versioning still needs the real npm CLI
           # because we are mutating package.json in place before the publish step.
           LATEST=$(npm view vinext version 2>/dev/null || echo "0.0.0")
           IFS='.' read -r MAJOR MINOR PATCH <<< "$LATEST"
 
-          case "${{ inputs.bump }}" in
+          case "$BUMP" in
             major)
               MAJOR=$((MAJOR + 1))
               MINOR=0

diff --git a/examples/hackernews/components/comment.jsx b/examples/hackernews/components/comment.jsx
@@ -1,6 +1,7 @@
 'use client';
 
 import { useState } from 'react';
+import DOMPurify from 'dompurify';
 
 import timeAgo from '../lib/time-ago';
 
@@ -26,7 +27,7 @@ export default function Comment({ user, text, date, comments, commentsCount }) {
             <div
               key="text"
               className={styles.text}
-              dangerouslySetInnerHTML={{ __html: text }}
+              dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(text) }}
             />,
             <div key="children" className={styles.children}>
               {comments.map((comment) => (

diff --git a/examples/hackernews/package.json b/examples/hackernews/package.json
@@ -1,26 +1,28 @@
 {
-  "name": "vinext-hackernews",
-  "type": "module",
-  "private": true,
-  "scripts": {
-    "dev": "vp dev",
-    "build": "vp build",
-    "preview": "vp preview"
-  },
-  "dependencies": {
-    "@vitejs/plugin-react": "catalog:",
-    "ms": "catalog:",
-    "react": "catalog:",
-    "react-dom": "catalog:",
-    "server-only": "catalog:",
-    "vite": "catalog:",
-    "vinext": "workspace:*",
-    "@vitejs/plugin-rsc": "catalog:",
-    "react-server-dom-webpack": "catalog:",
-    "@cloudflare/vite-plugin": "catalog:",
-    "wrangler": "catalog:"
-  },
-  "devDependencies": {
-    "vite-plus": "catalog:"
-  }
+    "name": "vinext-hackernews",
+    "type": "module",
+    "private": true,
+    "scripts": {
+        "dev": "vp dev",
+        "build": "vp build",
+        "preview": "vp preview"
+    },
+    "dependencies": {
+        "@vitejs/plugin-react": "catalog:",
+        "dompurify": "catalog:",
+        "ms": "catalog:",
+        "react": "catalog:",
+        "react-dom": "catalog:",
+        "server-only": "catalog:",
+        "vite": "catalog:",
+        "vinext": "workspace:*",
+        "@vitejs/plugin-rsc": "catalog:",
+        "react-server-dom-webpack": "catalog:",
+        "@cloudflare/vite-plugin": "catalog:",
+        "wrangler": "catalog:"
+    },
+    "devDependencies": {
+        "@cloudflare/workers-types": "catalog:",
+        "vite-plus": "catalog:"
+    }
 }
diff --git a/examples/hackernews/tsconfig.json b/examples/hackernews/tsconfig.json
@@ -8,8 +8,15 @@
     "esModuleInterop": true,
     "skipLibCheck": true,
     "allowJs": true,
-    "baseUrl": ".",
-    "types": ["@cloudflare/workers-types"]
+    "noEmit": true,
+    "types": [
+      "@cloudflare/workers-types"
+    ]
   },
-  "include": ["app", "components", "lib", "worker"]
-}
+  "include": [
+    "app",
+    "components",
+    "lib",
+    "worker"
+  ]
+}
diff --git a/packages/vinext/src/shims/head.ts b/packages/vinext/src/shims/head.ts
@@ -272,7 +272,9 @@ export function escapeAttr(s: string): string {
  * context but prevents the HTML parser from seeing a closing tag.
  */
 export function escapeInlineContent(content: string, tag: string): string {
-  // Build a pattern like `<\/script` or `<\/style`, case-insensitive
+  // Build a pattern like `<\/script` or `<\/style`, case-insensitive.
+  // `tag` is always a literal developer-controlled value ("script" or "style")
+  // guarded by the RAW_CONTENT_TAGS.has(tag) check at all call sites — never user input.
   const pattern = new RegExp(`<\\/(${tag})`, "gi");
   return content.replace(pattern, "<\\/$1");
 }

diff --git a/packages/vinext/src/shims/script.tsx b/packages/vinext/src/shims/script.tsx
@@ -156,6 +156,11 @@ function Script(props: ScriptProps): React.ReactElement | null {
       }
 
       if (dangerouslySetInnerHTML?.__html) {
+        // Intentional: mirrors the Next.js <Script> API where dangerouslySetInnerHTML
+        // is developer-supplied inline script content (not user input). The prop name
+        // itself signals developer awareness of the XSS risk, consistent with React's
+        // design. User-supplied data must never flow into this prop.
+        // eslint-disable-next-line no-unsanitized/property
         el.innerHTML = dangerouslySetInnerHTML.__html as string;
       } else if (children && typeof children === "string") {
         el.textContent = children;

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -41,6 +41,8 @@ catalog:
   clsx: ^2.1.1
   codehike: 1.0.7
   date-fns: 4.1.0
+  dompurify: ^3.2.6
+  "@types/dompurify": ^3.0.5
   fumadocs-core: 16.6.17
   fumadocs-mdx: 14.2.10
   fumadocs-ui: 16.6.17

diff --git a/tests/vite-hmr-websocket.test.ts b/tests/vite-hmr-websocket.test.ts
@@ -29,7 +29,7 @@ function readUpgradeResponse(
         "Connection: Upgrade",
         "Upgrade: websocket",
         "Sec-WebSocket-Version: 13",
-        "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==",
+        "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==", // gitleaks:allow — RFC 6455 example nonce ("the sample nonce"), not a real credential
         "Sec-WebSocket-Protocol: vite-hmr",
       ];
       if (origin) lines.push(`Origin: ${origin}`);