Skip to content

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 24, 2025

This PR addresses server crashes when encountering malformed URLs in static file serving middleware by centralizing and improving malformed URL handling.

Problem

Vite's development server would crash when encountering malformed URLs, particularly from template engines or user input containing expressions like:

<img src="{% if product[0].image_urls[0] %}{{product[0].image_urls[0]}}{% endif %}" />
<img src="{{malformed}}" />
<img src="%ZZ%invalid" />

The crash occurred because decodeURI() throws an error when given malformed input, causing the entire middleware chain to fail.

Solution

  1. Centralized utility function: Moved decodeURIIfPossible from packages/vite/src/node/plugins/html.ts to packages/vite/src/node/utils.ts to make it available across the codebase.

  2. Fixed static middleware: Updated both serveStaticMiddleware and serveRawFsMiddleware in packages/vite/src/node/server/middlewares/static.ts to use decodeURIIfPossible instead of decodeURI, gracefully handling malformed URLs by skipping processing rather than crashing.

  3. Comprehensive testing: Added E2E tests in playground/html that verify the server doesn't crash with various malformed URL patterns.

Changes

  • packages/vite/src/node/utils.ts: Added decodeURIIfPossible function with JSDoc
  • packages/vite/src/node/plugins/html.ts: Removed local function, imported from utils
  • packages/vite/src/node/server/middlewares/static.ts: Updated both middleware functions to use safe decoding
  • playground/html/malformed-url.html: Test page with various malformed URL patterns
  • playground/html/__tests__/html.spec.ts: E2E tests for malformed URL handling
  • playground/html/vite.config.js: Added malformed-url.html to build inputs

Behavior

When a malformed URL is encountered:

  • Before: Server crashes with URIError: URI malformed
  • After: Server gracefully skips processing and continues serving other requests

This fix ensures that user input or template engine expressions in HTML attributes don't crash the development server, improving developer experience and application stability.

Fixes #20829
Related to #19397

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • vite.dev
    • Triggering command: /home/REDACTED/.cache/playwright-bin/chromium_headless_shell-1187/chrome-linux/headless_shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AcceptCHFrame,AvoidUnnecessaryBeforeUnloadCheckSync,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Translate,AutoDeElevate --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --force-color-profile=srgb --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --unsafely-disable-devtools-self-xss-warnings --edge-skip-compat-layer-relaunch --enable-automation --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --no-sandbox --disable-setuid-sandbox --user-data-dir=/tmp/playwright_chromiumdev_profile-RKuUAy --remote-debugging-pipe --no-startup-window (dns block)
  • workers.cloudflare.com

If you need me to access, download, or install something from one of these locations, you can either:


💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] Move decodeURIIfPossible to src/node/utils.ts and use that in viteServeStaticMiddleware and serveRawFsMiddleware to fix @vitejs/vite/issues/20829 . Make sure to add an e2e test in playground/html. Add a test for @vitejs/vite/pull/19397 as well. fix: move decodeURIIfPossible to utils and fix malformed URL handling in middlewares Sep 24, 2025
@Copilot Copilot AI requested a review from sapphi-red September 24, 2025 02:02
Copilot finished work on behalf of sapphi-red September 24, 2025 02:02
@sapphi-red sapphi-red marked this pull request as ready for review September 24, 2025 09:25
@sapphi-red sapphi-red added the p2-edge-case Bug, but has workaround or limited in scope (priority) label Sep 24, 2025
@bluwy
Copy link
Member

bluwy commented Sep 24, 2025

I pushed a commit that I think makes the malformed uri warning a little better:

Malformed URI sequence in request URL: /%7B%%20if%20product[0].image_urls[0]%20%%7D%7B%7Bproduct[0].image_urls[0]%7D%7D%7B%%20endif%20%%7D

Previously there wasn't any url logged to debug.

@bluwy bluwy changed the title fix: move decodeURIIfPossible to utils and fix malformed URL handling in middlewares fix(server): improve malformed URL handling in middlewares Sep 24, 2025
@sapphi-red
Copy link
Member

Nice, thanks!

@sapphi-red sapphi-red merged commit d65a983 into main Sep 25, 2025
18 checks passed
@sapphi-red sapphi-red deleted the copilot/fix-e015e0b0-d873-40ae-8455-585bb96a3369 branch September 25, 2025 00:42
renovate bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Oct 3, 2025
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | vite    | 7.1.7 | 7.1.8 |


## [v7.1.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-718-2025-10-02-small)

##### Bug Fixes

- **css:** improve url escape characters handling ([#20847](vitejs/vite#20847)) ([24a61a3](vitejs/vite@24a61a3))
- **deps:** update all non-major dependencies ([#20855](vitejs/vite#20855)) ([788a183](vitejs/vite@788a183))
- **deps:** update artichokie to 0.4.2 ([#20864](vitejs/vite#20864)) ([e670799](vitejs/vite@e670799))
- **dev:** skip JS responses for document requests ([#20866](vitejs/vite#20866)) ([6bc6c4d](vitejs/vite@6bc6c4d))
- **glob:** fix HMR for array patterns with exclusions ([#20872](vitejs/vite#20872)) ([63e040f](vitejs/vite@63e040f))
- keep ids for virtual modules as-is ([#20808](vitejs/vite#20808)) ([d4eca98](vitejs/vite@d4eca98))
- **server:** drain stdin when not interactive ([#20837](vitejs/vite#20837)) ([bb950e9](vitejs/vite@bb950e9))
- **server:** improve malformed URL handling in middlewares ([#20830](vitejs/vite#20830)) ([d65a983](vitejs/vite@d65a983))

##### Documentation

- **create-vite:** provide deno example ([#20747](vitejs/vite#20747)) ([fdb758a](vitejs/vite@fdb758a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#20810](vitejs/vite#20810)) ([ea68a88](vitejs/vite@ea68a88))
- **deps:** update rolldown-related dependencies ([#20854](vitejs/vite#20854)) ([4dd06fd](vitejs/vite@4dd06fd))
- update url of `create-react-app` license ([#20865](vitejs/vite#20865)) ([166a178](vitejs/vite@166a178))
renovate bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Oct 3, 2025
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | vite    | 7.1.7 | 7.1.9 |


## [v7.1.9](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-719-2025-10-03-small)

##### Reverts

- **server:** drain stdin when not interactive ([#20885](vitejs/vite#20885)) ([12d72b0](vitejs/vite@12d72b0))


## [v7.1.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-718-2025-10-02-small)

##### Bug Fixes

- **css:** improve url escape characters handling ([#20847](vitejs/vite#20847)) ([24a61a3](vitejs/vite@24a61a3))
- **deps:** update all non-major dependencies ([#20855](vitejs/vite#20855)) ([788a183](vitejs/vite@788a183))
- **deps:** update artichokie to 0.4.2 ([#20864](vitejs/vite#20864)) ([e670799](vitejs/vite@e670799))
- **dev:** skip JS responses for document requests ([#20866](vitejs/vite#20866)) ([6bc6c4d](vitejs/vite@6bc6c4d))
- **glob:** fix HMR for array patterns with exclusions ([#20872](vitejs/vite#20872)) ([63e040f](vitejs/vite@63e040f))
- keep ids for virtual modules as-is ([#20808](vitejs/vite#20808)) ([d4eca98](vitejs/vite@d4eca98))
- **server:** drain stdin when not interactive ([#20837](vitejs/vite#20837)) ([bb950e9](vitejs/vite@bb950e9))
- **server:** improve malformed URL handling in middlewares ([#20830](vitejs/vite#20830)) ([d65a983](vitejs/vite@d65a983))

##### Documentation

- **create-vite:** provide deno example ([#20747](vitejs/vite#20747)) ([fdb758a](vitejs/vite@fdb758a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#20810](vitejs/vite#20810)) ([ea68a88](vitejs/vite@ea68a88))
- **deps:** update rolldown-related dependencies ([#20854](vitejs/vite#20854)) ([4dd06fd](vitejs/vite@4dd06fd))
- update url of `create-react-app` license ([#20865](vitejs/vite#20865)) ([166a178](vitejs/vite@166a178))
renovate bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Oct 4, 2025
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | vite    | 7.1.7 | 7.1.9 |


## [v7.1.9](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-719-2025-10-03-small)

##### Reverts

- **server:** drain stdin when not interactive ([#20885](vitejs/vite#20885)) ([12d72b0](vitejs/vite@12d72b0))


## [v7.1.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-718-2025-10-02-small)

##### Bug Fixes

- **css:** improve url escape characters handling ([#20847](vitejs/vite#20847)) ([24a61a3](vitejs/vite@24a61a3))
- **deps:** update all non-major dependencies ([#20855](vitejs/vite#20855)) ([788a183](vitejs/vite@788a183))
- **deps:** update artichokie to 0.4.2 ([#20864](vitejs/vite#20864)) ([e670799](vitejs/vite@e670799))
- **dev:** skip JS responses for document requests ([#20866](vitejs/vite#20866)) ([6bc6c4d](vitejs/vite@6bc6c4d))
- **glob:** fix HMR for array patterns with exclusions ([#20872](vitejs/vite#20872)) ([63e040f](vitejs/vite@63e040f))
- keep ids for virtual modules as-is ([#20808](vitejs/vite#20808)) ([d4eca98](vitejs/vite@d4eca98))
- **server:** drain stdin when not interactive ([#20837](vitejs/vite#20837)) ([bb950e9](vitejs/vite@bb950e9))
- **server:** improve malformed URL handling in middlewares ([#20830](vitejs/vite#20830)) ([d65a983](vitejs/vite@d65a983))

##### Documentation

- **create-vite:** provide deno example ([#20747](vitejs/vite#20747)) ([fdb758a](vitejs/vite@fdb758a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#20810](vitejs/vite#20810)) ([ea68a88](vitejs/vite@ea68a88))
- **deps:** update rolldown-related dependencies ([#20854](vitejs/vite#20854)) ([4dd06fd](vitejs/vite@4dd06fd))
- update url of `create-react-app` license ([#20865](vitejs/vite#20865)) ([166a178](vitejs/vite@166a178))
renovate bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Oct 5, 2025
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | vite    | 7.1.7 | 7.1.9 |


## [v7.1.9](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-719-2025-10-03-small)

##### Reverts

- **server:** drain stdin when not interactive ([#20885](vitejs/vite#20885)) ([12d72b0](vitejs/vite@12d72b0))


## [v7.1.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-718-2025-10-02-small)

##### Bug Fixes

- **css:** improve url escape characters handling ([#20847](vitejs/vite#20847)) ([24a61a3](vitejs/vite@24a61a3))
- **deps:** update all non-major dependencies ([#20855](vitejs/vite#20855)) ([788a183](vitejs/vite@788a183))
- **deps:** update artichokie to 0.4.2 ([#20864](vitejs/vite#20864)) ([e670799](vitejs/vite@e670799))
- **dev:** skip JS responses for document requests ([#20866](vitejs/vite#20866)) ([6bc6c4d](vitejs/vite@6bc6c4d))
- **glob:** fix HMR for array patterns with exclusions ([#20872](vitejs/vite#20872)) ([63e040f](vitejs/vite@63e040f))
- keep ids for virtual modules as-is ([#20808](vitejs/vite#20808)) ([d4eca98](vitejs/vite@d4eca98))
- **server:** drain stdin when not interactive ([#20837](vitejs/vite#20837)) ([bb950e9](vitejs/vite@bb950e9))
- **server:** improve malformed URL handling in middlewares ([#20830](vitejs/vite#20830)) ([d65a983](vitejs/vite@d65a983))

##### Documentation

- **create-vite:** provide deno example ([#20747](vitejs/vite#20747)) ([fdb758a](vitejs/vite@fdb758a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#20810](vitejs/vite#20810)) ([ea68a88](vitejs/vite@ea68a88))
- **deps:** update rolldown-related dependencies ([#20854](vitejs/vite#20854)) ([4dd06fd](vitejs/vite@4dd06fd))
- update url of `create-react-app` license ([#20865](vitejs/vite#20865)) ([166a178](vitejs/vite@166a178))
renovate bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Oct 6, 2025
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | vite    | 7.1.7 | 7.1.9 |


## [v7.1.9](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-719-2025-10-03-small)

##### Reverts

- **server:** drain stdin when not interactive ([#20885](vitejs/vite#20885)) ([12d72b0](vitejs/vite@12d72b0))


## [v7.1.8](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-718-2025-10-02-small)

##### Bug Fixes

- **css:** improve url escape characters handling ([#20847](vitejs/vite#20847)) ([24a61a3](vitejs/vite@24a61a3))
- **deps:** update all non-major dependencies ([#20855](vitejs/vite#20855)) ([788a183](vitejs/vite@788a183))
- **deps:** update artichokie to 0.4.2 ([#20864](vitejs/vite#20864)) ([e670799](vitejs/vite@e670799))
- **dev:** skip JS responses for document requests ([#20866](vitejs/vite#20866)) ([6bc6c4d](vitejs/vite@6bc6c4d))
- **glob:** fix HMR for array patterns with exclusions ([#20872](vitejs/vite#20872)) ([63e040f](vitejs/vite@63e040f))
- keep ids for virtual modules as-is ([#20808](vitejs/vite#20808)) ([d4eca98](vitejs/vite@d4eca98))
- **server:** drain stdin when not interactive ([#20837](vitejs/vite#20837)) ([bb950e9](vitejs/vite@bb950e9))
- **server:** improve malformed URL handling in middlewares ([#20830](vitejs/vite#20830)) ([d65a983](vitejs/vite@d65a983))

##### Documentation

- **create-vite:** provide deno example ([#20747](vitejs/vite#20747)) ([fdb758a](vitejs/vite@fdb758a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies ([#20810](vitejs/vite#20810)) ([ea68a88](vitejs/vite@ea68a88))
- **deps:** update rolldown-related dependencies ([#20854](vitejs/vite#20854)) ([4dd06fd](vitejs/vite@4dd06fd))
- update url of `create-react-app` license ([#20865](vitejs/vite#20865)) ([166a178](vitejs/vite@166a178))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

p2-edge-case Bug, but has workaround or limited in scope (priority)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

URL Malformed - not handling the malformed URL gracefully can be easily BLOCKER for developers...

3 participants