From d4d349ca96b57f4cbf36d84b41bcb3ca5bd70850 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Tue, 17 Feb 2015 18:01:01 -0800
Subject: [PATCH] Don't overly escape Meteor.settings.public

Fixes #3730.

Testing Done:
Manual testing based on the report in #3730. Also confirmed that `</script>` is not a problem.

I would have added a test-packages test but there's no easy way to override Meteor.settings in test-packages.

Bugs closed: 3730

Reviewed at https://rbcommons.com/s/meteor/r/1/
---
 .../boilerplate-generator/boilerplate_web.browser.html   | 2 +-
 .../boilerplate-generator/boilerplate_web.cordova.html   | 2 +-
 packages/webapp/package.js                               | 1 +
 packages/webapp/webapp_client_tests.js                   | 5 +++++
 packages/webapp/webapp_server.js                         | 9 ++++++++-
 packages/webapp/webapp_tests.js                          | 3 +++
 tools/commands-cordova.js                                | 3 ++-
 7 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 packages/webapp/webapp_client_tests.js

diff --git a/packages/boilerplate-generator/boilerplate_web.browser.html b/packages/boilerplate-generator/boilerplate_web.browser.html
index eced069aaa..3871c81e6e 100644
--- a/packages/boilerplate-generator/boilerplate_web.browser.html
+++ b/packages/boilerplate-generator/boilerplate_web.browser.html
@@ -3,7 +3,7 @@
 {{#each css}}  <link rel="stylesheet" type="text/css" class="__meteor-css__" href="{{../bundledJsCssPrefix}}{{url}}">{{/each}}
 
 {{#if inlineScriptsAllowed}}
-<script type='text/javascript'>__meteor_runtime_config__ = {{meteorRuntimeConfig}};</script>
+<script type='text/javascript'>__meteor_runtime_config__ = JSON.parse(decodeURIComponent({{meteorRuntimeConfig}}));</script>
 {{else}}
 <script type='text/javascript' src='{{rootUrlPathPrefix}}/meteor_runtime_config.js'></script>
 {{/if}}
diff --git a/packages/boilerplate-generator/boilerplate_web.cordova.html b/packages/boilerplate-generator/boilerplate_web.cordova.html
index d4cd0be029..7f8252102a 100644
--- a/packages/boilerplate-generator/boilerplate_web.cordova.html
+++ b/packages/boilerplate-generator/boilerplate_web.cordova.html
@@ -8,7 +8,7 @@
 {{#each css}}  <link rel="stylesheet" type="text/css" class="__meteor-css__" href="{{../bundledJsCssPrefix}}{{url}}">{{/each}}
 
   <script type='text/javascript'>
-    __meteor_runtime_config__ = {{meteorRuntimeConfig}};
+    __meteor_runtime_config__ = JSON.parse(decodeURIComponent({{meteorRuntimeConfig}}));
 
     if (/Android/i.test(navigator.userAgent)) {
       // When Android app is emulated, it cannot connect to localhost,
diff --git a/packages/webapp/package.js b/packages/webapp/package.js
index 54ab0da89a..1fc8c9203f 100644
--- a/packages/webapp/package.js
+++ b/packages/webapp/package.js
@@ -31,4 +31,5 @@ Package.onUse(function (api) {
 Package.onTest(function (api) {
   api.use(['tinytest', 'webapp', 'http']);
   api.addFiles('webapp_tests.js', 'server');
+  api.addFiles('webapp_client_tests.js', 'client');
 });
diff --git a/packages/webapp/webapp_client_tests.js b/packages/webapp/webapp_client_tests.js
new file mode 100644
index 0000000000..cae19e9978
--- /dev/null
+++ b/packages/webapp/webapp_client_tests.js
@@ -0,0 +1,5 @@
+// Regression test for #3730
+Tinytest.add("webapp - runtime config", function (test) {
+  test.equal(__meteor_runtime_config__.WEBAPP_TEST_A, '<p>foo</p>');
+  test.equal(__meteor_runtime_config__.WEBAPP_TEST_B, '</script>');
+});
diff --git a/packages/webapp/webapp_server.js b/packages/webapp/webapp_server.js
index b05041740c..9b4b00fdbd 100644
--- a/packages/webapp/webapp_server.js
+++ b/packages/webapp/webapp_server.js
@@ -289,7 +289,14 @@ WebAppInternals.generateBoilerplateInstance = function (arch,
             };
           }
         ),
-        meteorRuntimeConfig: JSON.stringify(runtimeConfig),
+        // Convert to a JSON string, then get rid of most weird characters, then
+        // wrap in double quotes. (The outermost JSON.stringify really ought to
+        // just be "wrap in double quotes" but we use it to be safe.) This might
+        // end up inside a <script> tag so we need to be careful to not include
+        // "</script>", but normal {{spacebars}} escaping escapes too much! See
+        // https://github.com/meteor/meteor/issues/3730
+        meteorRuntimeConfig: JSON.stringify(
+          encodeURIComponent(JSON.stringify(runtimeConfig))),
         rootUrlPathPrefix: __meteor_runtime_config__.ROOT_URL_PATH_PREFIX || '',
         bundledJsCssPrefix: jsCssPrefix,
         inlineScriptsAllowed: WebAppInternals.inlineScriptsAllowed(),
diff --git a/packages/webapp/webapp_tests.js b/packages/webapp/webapp_tests.js
index 74e0b04b48..0d9dcefd54 100644
--- a/packages/webapp/webapp_tests.js
+++ b/packages/webapp/webapp_tests.js
@@ -155,3 +155,6 @@ Tinytest.add("webapp - generating boilerplate should not change runtime config",
 
   test.isFalse(__meteor_runtime_config__.WEBAPP_TEST_KEY);
 });
+
+__meteor_runtime_config__.WEBAPP_TEST_A = '<p>foo</p>';
+__meteor_runtime_config__.WEBAPP_TEST_B = '</script>';
diff --git a/tools/commands-cordova.js b/tools/commands-cordova.js
index 01407ff194..3baf71e4f9 100644
--- a/tools/commands-cordova.js
+++ b/tools/commands-cordova.js
@@ -331,7 +331,8 @@ var generateCordovaBoilerplate = function (projectContext, clientDir, options) {
     urlMapper: _.identity,
     pathMapper: function (p) { return files.pathJoin(clientDir, p); },
     baseDataExtension: {
-      meteorRuntimeConfig: JSON.stringify(runtimeConfig)
+      meteorRuntimeConfig: JSON.stringify(
+        encodeURIComponent(JSON.stringify(runtimeConfig)))
     }
   });
   return boilerplate.toHTML();