From c84e6dcbbd8d008690487ddb829dbe8376000a6d Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Sun, 31 May 2026 21:33:17 +0800
Subject: [PATCH 01/11] test(core): cover custom CSS <head> injection in
 experience SSR

---
 .../src/middleware/koa-experience-ssr.test.ts | 69 +++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/packages/core/src/middleware/koa-experience-ssr.test.ts b/packages/core/src/middleware/koa-experience-ssr.test.ts
index 253a44e1cc01..ad323f09e1f3 100644
--- a/packages/core/src/middleware/koa-experience-ssr.test.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.test.ts
@@ -77,4 +77,73 @@ describe('koaExperienceSsr()', () => {
       })});`
     );
   });
+
+  it('should inline custom CSS into the <head> when present', async () => {
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      { ...mockSignInExperience, customCss: '.foo { color: red; }' }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    expect(ctx.body).toContain('<style data-custom-css>.foo { color: red; }</style></head>');
+  });
+
+  it('should escape the `</style>` sequence in custom CSS to avoid breaking out of the tag', async () => {
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      {
+        ...mockSignInExperience,
+        customCss: 'body::before { content: "</style>"; }',
+      }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    // The dangerous `</style` becomes `<\/style`, which the HTML parser cannot treat as an end tag.
+    expect(ctx.body).toContain('content: "<\\/style>"');
+  });
+
+  it('should escape characters in the SSR JSON so embedded data cannot break out of the <script>', async () => {
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      { ...mockSignInExperience, customContent: { '/sign-in': '</script>' } }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    // Custom content is NOT inlined into a <style> (only custom CSS is), so the sole `</script>` that
+    // should remain is the genuine close of the `window.logtoSsr` script. If the SSR data were not
+    // escaped, its `</script>` would appear too and break out of the inline script.
+    expect(ctx.body.match(/<\/script>/g)?.length).toBe(1);
+  });
+
+  it('should not inline custom CSS in preview mode', async () => {
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      { ...mockSignInExperience, customCss: '.foo { color: red; }' }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      query: { preview: 'true' },
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    // Preview is driven live by postMessage + react-helmet; the server must not inline saved CSS.
+    expect(ctx.body).not.toContain('<style data-custom-css>');
+  });
 });

From b6719c952bca7ba1bd7431d2929ae6629ccbf9fd Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Sun, 31 May 2026 21:39:21 +0800
Subject: [PATCH 02/11] fix(core): inline custom CSS into experience HTML head
 to prevent style flash

---
 .../core/src/middleware/koa-experience-ssr.ts | 41 +++++++++++++++++--
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.ts b/packages/core/src/middleware/koa-experience-ssr.ts
index 239e94f06a8d..c8dd3a1c209d 100644
--- a/packages/core/src/middleware/koa-experience-ssr.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.ts
@@ -9,6 +9,18 @@ import { getExperienceLanguage } from '#src/utils/i18n.js';
 import { type WithI18nContext } from './koa-i18next.js';
 import { isIndexPath } from './koa-serve-static.js';
 
+/**
+ * Serialize SSR data for safe embedding inside an inline `<script>`. `JSON.stringify` alone is unsafe:
+ * a string such as `</script>` in the data (e.g. inside custom CSS or custom content) would close the
+ * script element early and enable injection. Escaping the HTML-significant characters keeps the values
+ * identical once parsed by JS, while preventing the HTML parser from recognizing any tag delimiters.
+ */
+const serializeSsrData = (data: SsrData): string =>
+  JSON.stringify(data)
+    .replaceAll('<', '\\u003c')
+    .replaceAll('>', '\\u003e')
+    .replaceAll('&', '\\u0026');
+
 /**
  * Create a middleware to prefetch the experience data and inject it into the HTML response. Some
  * conditions must be met:
@@ -54,15 +66,38 @@ export default function koaExperienceSsr<StateT, ContextT extends WithI18nContex
     const phrases = await libraries.phrases.getPhrases(language);
 
     ctx.set('Content-Language', language);
-    ctx.body = ctx.body.replace(
+
+    // Inline custom CSS into the served HTML <head> BEFORE substituting the SSR placeholder, so the
+    // `</head>` match can only hit the genuine document head — never a `</head>` that might appear in
+    // the injected SSR JSON. Having the CSS in <head> on the first byte puts it in the cascade for the
+    // first paint, removing the flash where built-in styles render before react-helmet injects the
+    // custom <style> a frame later. react-helmet still re-asserts the same CSS client-side (harmless)
+    // and keeps live preview working.
+    const { customCss } = signInExperience;
+    // Skip the inline in preview mode: the console preview iframe drives styling live via postMessage
+    // + react-helmet, so inlining the *saved* CSS here could briefly show it and even leak rules the
+    // user is editing out. Live preview has no FOUC to fix.
+
+    // Defuse `</style` in custom CSS so admin content can't terminate the element early: the HTML
+    // parser sees `<\/style` (not an end tag) while the CSS engine unescapes `\/` to `/`.
+    // No-op if `</head>` is absent (graceful fallback to client-side helmet injection).
+    const htmlWithCss =
+      customCss && ctx.query.preview !== 'true'
+        ? ctx.body.replace(
+            '</head>',
+            `<style data-custom-css>${customCss.replaceAll(/<\/(style)/gi, '<\\/$1')}</style></head>`
+          )
+        : ctx.body;
+
+    ctx.body = htmlWithCss.replace(
       ssrPlaceholder,
-      `Object.freeze(${JSON.stringify({
+      `Object.freeze(${serializeSsrData({
         signInExperience: {
           ...pick(logtoUiCookie, 'appId', 'organizationId'),
           data: signInExperience,
         },
         phrases: { lng: language, data: phrases },
-      } satisfies SsrData)})`
+      })})`
     );
   };
 }

From 197107238170dafc9be44346bca1d15b2088d4fb Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Sun, 31 May 2026 21:39:56 +0800
Subject: [PATCH 03/11] chore: add changeset for experience custom CSS flash
 fix

---
 .changeset/experience-custom-css-no-flash.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changeset/experience-custom-css-no-flash.md

diff --git a/.changeset/experience-custom-css-no-flash.md b/.changeset/experience-custom-css-no-flash.md
new file mode 100644
index 000000000000..0aa7d1e5e963
--- /dev/null
+++ b/.changeset/experience-custom-css-no-flash.md
@@ -0,0 +1,7 @@
+---
+"@logto/core": patch
+---
+
+fix a flash of built-in styles on the hosted sign-in experience when custom CSS is configured
+
+Custom CSS was injected on the client via react-helmet, which mutates `<head>` asynchronously after the page had already painted with the built-in styles. The server-rendered experience HTML now inlines the configured custom CSS into `<head>`, so it is part of the cascade on the first paint. The `</style>` sequence in custom CSS is escaped so it cannot terminate the style element early, and the SSR data embedded in the inline `<script>` is now serialized with HTML-significant characters escaped to prevent script breakout.

From 6e85b9ce541ef526b32633908f3a1c377cf031e6 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Sun, 31 May 2026 21:57:06 +0800
Subject: [PATCH 04/11] test(core): assert SSR escaping round-trips and tidy
 inline-CSS comments

---
 .../src/middleware/koa-experience-ssr.test.ts | 31 ++++++++++++++++---
 .../core/src/middleware/koa-experience-ssr.ts | 11 +++----
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.test.ts b/packages/core/src/middleware/koa-experience-ssr.test.ts
index ad323f09e1f3..d5fdb017c1bf 100644
--- a/packages/core/src/middleware/koa-experience-ssr.test.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.test.ts
@@ -124,10 +124,33 @@ describe('koaExperienceSsr()', () => {
     };
     await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
 
-    // Custom content is NOT inlined into a <style> (only custom CSS is), so the sole `</script>` that
-    // should remain is the genuine close of the `window.logtoSsr` script. If the SSR data were not
-    // escaped, its `</script>` would appear too and break out of the inline script.
-    expect(ctx.body.match(/<\/script>/g)?.length).toBe(1);
+    // The `</script>` carried in the SSR data must be emitted as its escaped form (`</script>`),
+    // never as a literal tag that would close the inline `window.logtoSsr` <script> early. Asserting the
+    // escaped form (rather than counting `</script>` occurrences) is robust to the served template adding
+    // its own <script> tags.
+    expect(ctx.body).toContain('\\u003c/script\\u003e');
+  });
+
+  it('should produce SSR JSON that still parses back to the original data after escaping', async () => {
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      { ...mockSignInExperience, customContent: { '/sign-in': '<a>&</a>' } }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    // The `\uXXXX` escapes must decode back to the original characters when parsed, so the escaping is
+    // safe (no data corruption) while still preventing tag breakout.
+    const serialized = /Object\.freeze\((?<json>.+)\)/.exec(ctx.body)?.groups?.json;
+    expect(serialized).toBeTruthy();
+
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- test parses known JSON
+    const parsed = JSON.parse(serialized!);
+    expect(parsed.signInExperience.data.customContent['/sign-in']).toBe('<a>&</a>');
   });
 
   it('should not inline custom CSS in preview mode', async () => {
diff --git a/packages/core/src/middleware/koa-experience-ssr.ts b/packages/core/src/middleware/koa-experience-ssr.ts
index c8dd3a1c209d..260938646da5 100644
--- a/packages/core/src/middleware/koa-experience-ssr.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.ts
@@ -74,13 +74,12 @@ export default function koaExperienceSsr<StateT, ContextT extends WithI18nContex
     // custom <style> a frame later. react-helmet still re-asserts the same CSS client-side (harmless)
     // and keeps live preview working.
     const { customCss } = signInExperience;
-    // Skip the inline in preview mode: the console preview iframe drives styling live via postMessage
-    // + react-helmet, so inlining the *saved* CSS here could briefly show it and even leak rules the
-    // user is editing out. Live preview has no FOUC to fix.
 
-    // Defuse `</style` in custom CSS so admin content can't terminate the element early: the HTML
-    // parser sees `<\/style` (not an end tag) while the CSS engine unescapes `\/` to `/`.
-    // No-op if `</head>` is absent (graceful fallback to client-side helmet injection).
+    // Inline the custom CSS only outside preview mode. In preview the console iframe drives styling live
+    // via postMessage + react-helmet, so inlining the *saved* CSS here could briefly show it and even
+    // leak rules the user is editing out — live preview has no FOUC to fix. `</style` is defused so admin
+    // CSS can't terminate the element early (the HTML parser sees `<\/style`; the CSS engine unescapes
+    // `\/`→`/`). The `</head>` replace is a no-op if absent, falling back to client-side helmet injection.
     const htmlWithCss =
       customCss && ctx.query.preview !== 'true'
         ? ctx.body.replace(

From d275df27eef33de65528f6c85a605ed330447516 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Sun, 31 May 2026 22:55:41 +0800
Subject: [PATCH 05/11] chore: rename changeset to conventional three-word name

---
 .../{experience-custom-css-no-flash.md => gentle-otters-cheer.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .changeset/{experience-custom-css-no-flash.md => gentle-otters-cheer.md} (100%)

diff --git a/.changeset/experience-custom-css-no-flash.md b/.changeset/gentle-otters-cheer.md
similarity index 100%
rename from .changeset/experience-custom-css-no-flash.md
rename to .changeset/gentle-otters-cheer.md

From 0d8e71154f6bd0f3d5f621b4c26c77931746fe98 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 10:29:06 +0800
Subject: [PATCH 06/11] refactor(core): condense inline custom CSS comments

---
 .../core/src/middleware/koa-experience-ssr.ts   | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.ts b/packages/core/src/middleware/koa-experience-ssr.ts
index 260938646da5..5663203cec5f 100644
--- a/packages/core/src/middleware/koa-experience-ssr.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.ts
@@ -67,19 +67,14 @@ export default function koaExperienceSsr<StateT, ContextT extends WithI18nContex
 
     ctx.set('Content-Language', language);
 
-    // Inline custom CSS into the served HTML <head> BEFORE substituting the SSR placeholder, so the
-    // `</head>` match can only hit the genuine document head — never a `</head>` that might appear in
-    // the injected SSR JSON. Having the CSS in <head> on the first byte puts it in the cascade for the
-    // first paint, removing the flash where built-in styles render before react-helmet injects the
-    // custom <style> a frame later. react-helmet still re-asserts the same CSS client-side (harmless)
-    // and keeps live preview working.
+    // Inline custom CSS into <head> on the first byte so it is in the cascade for the first paint,
+    // removing the flash before react-helmet injects the same <style> client-side. Done BEFORE the SSR
+    // placeholder substitution so the `</head>` match can only hit the genuine document head. Skipped in
+    // preview mode (`?preview=true`), where the console iframe drives styling live via postMessage and
+    // inlining the *saved* CSS could leak rules being edited. `</style` is defused so admin CSS can't
+    // terminate the element early (parser sees `<\/style`; the CSS engine unescapes `\/`→`/`). See PR #8917.
     const { customCss } = signInExperience;
 
-    // Inline the custom CSS only outside preview mode. In preview the console iframe drives styling live
-    // via postMessage + react-helmet, so inlining the *saved* CSS here could briefly show it and even
-    // leak rules the user is editing out — live preview has no FOUC to fix. `</style` is defused so admin
-    // CSS can't terminate the element early (the HTML parser sees `<\/style`; the CSS engine unescapes
-    // `\/`→`/`). The `</head>` replace is a no-op if absent, falling back to client-side helmet injection.
     const htmlWithCss =
       customCss && ctx.query.preview !== 'true'
         ? ctx.body.replace(

From 849174a8f872b89154469b403095cec910e89590 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 10:29:28 +0800
Subject: [PATCH 07/11] test(core): harden SSR data assertion and cover
 </style> end-tag variants

---
 .../src/middleware/koa-experience-ssr.test.ts | 40 ++++++++++++++++---
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.test.ts b/packages/core/src/middleware/koa-experience-ssr.test.ts
index d5fdb017c1bf..b6417894d750 100644
--- a/packages/core/src/middleware/koa-experience-ssr.test.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.test.ts
@@ -70,12 +70,15 @@ describe('koaExperienceSsr()', () => {
     await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
     expect(next).toHaveBeenCalledTimes(1);
     expect(ctx.body).not.toContain(ssrPlaceholder);
-    expect(ctx.body).toContain(
-      `const logtoSsr=Object.freeze(${JSON.stringify({
-        signInExperience: { data: mockSignInExperience },
-        phrases: { lng: 'en', data: phrases },
-      })});`
-    );
+    expect(ctx.body).toContain('const logtoSsr=Object.freeze(');
+
+    // Extract and parse the injected JSON rather than comparing against a bare `JSON.stringify`, which
+    // would diverge from `serializeSsrData`'s `<`/`>`/`&` escaping the moment the mock gains such a char.
+    const serialized = /Object\.freeze\((?<json>.+)\)/.exec(ctx.body)?.groups?.json;
+    expect(JSON.parse(serialized!)).toEqual({
+      signInExperience: { data: mockSignInExperience },
+      phrases: { lng: 'en', data: phrases },
+    });
   });
 
   it('should inline custom CSS into the <head> when present', async () => {
@@ -112,6 +115,31 @@ describe('koaExperienceSsr()', () => {
     expect(ctx.body).toContain('content: "<\\/style>"');
   });
 
+  // The regex matches the `</style` prefix without requiring the closing `>`, so every end-tag variant
+  // the HTML parser accepts — uppercase, or whitespace before `>` — is defused the same way.
+  it.each(['</STYLE>', '</style >', '</style\n>'])(
+    'should escape the `%s` end-tag variant in custom CSS',
+    async (variant) => {
+      (
+        tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock
+      ).mockResolvedValueOnce({
+        ...mockSignInExperience,
+        customCss: `body::before { content: "${variant}"; }`,
+      });
+
+      const ctx = {
+        ...baseCtx,
+        path: '/',
+        body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+      };
+      await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+      // `</style`/`</STYLE` is broken to `<\/...`; the literal text after it (space/newline/`>`) is intact.
+      expect(ctx.body).toContain(`content: "${variant.replace(/<\/(style)/i, '<\\/$1')}"`);
+      expect(ctx.body).not.toMatch(/content: "<\/(?:style|STYLE)/);
+    }
+  );
+
   it('should escape characters in the SSR JSON so embedded data cannot break out of the <script>', async () => {
     (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
       { ...mockSignInExperience, customContent: { '/sign-in': '</script>' } }

From 4c3fbdb33e80abdf961c7dd777c1e35dc6c7b7a9 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 10:30:33 +0800
Subject: [PATCH 08/11] test(core): cover custom CSS head inlining in
 experience SSR integration test

---
 .../experience/server-side-rendering.test.ts  | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
index e41ef12b3550..5b45b569cc70 100644
--- a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
+++ b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
@@ -1,6 +1,7 @@
 import { demoAppApplicationId, fullSignInExperienceGuard } from '@logto/schemas';
 import { z } from 'zod';
 
+import { updateSignInExperience } from '#src/api/sign-in-experience.js';
 import { demoAppUrl } from '#src/constants.js';
 import { OrganizationApiTest } from '#src/helpers/organization.js';
 import ExpectExperience from '#src/ui-helpers/expect-experience.js';
@@ -108,4 +109,39 @@ describe('server-side rendering', () => {
     // Check network requests
     await expectTraceNotToHaveWellKnownEndpoints();
   });
+
+  describe('custom CSS inlining', () => {
+    // A marker the server adds (`<style data-custom-css>`) but the client-side react-helmet `<style>`
+    // does not, so its presence in the served HTML proves the CSS was inlined server-side for the first
+    // paint rather than injected later by the client.
+    const customCss = '.ssr-custom-css-probe { color: rgb(1, 2, 3); }';
+
+    afterEach(async () => {
+      await updateSignInExperience({ customCss: null });
+    });
+
+    it('should inline custom CSS into the served <head> so it applies on the first paint', async () => {
+      await updateSignInExperience({ customCss });
+      const experience = new ExpectExperience(await browser.newPage());
+      await experience.navigateTo(demoAppUrl.href);
+
+      const html = await experience.page.content();
+      expect(html).toContain('data-custom-css');
+      expect(html).toContain(customCss);
+
+      await experience.page.close();
+    });
+
+    it('should not inline custom CSS in preview mode', async () => {
+      await updateSignInExperience({ customCss });
+      const experience = new ExpectExperience(await browser.newPage());
+      await experience.navigateTo(`${demoAppUrl.href}?preview=true`);
+
+      // Preview is driven live by the console iframe via postMessage; the server must not inline saved CSS.
+      const html = await experience.page.content();
+      expect(html).not.toContain('data-custom-css');
+
+      await experience.page.close();
+    });
+  });
 });

From 465d213ab263ce9f6ab88368bbb03227fce3252a Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 10:42:09 +0800
Subject: [PATCH 09/11] test(core): clarify SSR escape comment

---
 packages/core/src/middleware/koa-experience-ssr.test.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.test.ts b/packages/core/src/middleware/koa-experience-ssr.test.ts
index b6417894d750..1ed8775f0c08 100644
--- a/packages/core/src/middleware/koa-experience-ssr.test.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.test.ts
@@ -152,7 +152,7 @@ describe('koaExperienceSsr()', () => {
     };
     await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
 
-    // The `</script>` carried in the SSR data must be emitted as its escaped form (`</script>`),
+    // The `</script>` carried in the SSR data must be emitted as `\u003c/script\u003e`,
     // never as a literal tag that would close the inline `window.logtoSsr` <script> early. Asserting the
     // escaped form (rather than counting `</script>` occurrences) is robust to the served template adding
     // its own <script> tags.

From aeabf7249b13164956a0af7e1b2fd0061a3a8a25 Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 13:29:56 +0800
Subject: [PATCH 10/11] test(core): load experience directly for SSR
 preview-mode CSS test

The preview-mode test navigated through the demo app, whose OIDC redirect
to /sign-in dropped the ?preview=true query, so the server never saw
preview mode and inlined the saved custom CSS. Hit the experience entry
directly with ?preview=true, mirroring the console preview iframe.

Also make Trace.cleanup idempotent: it now clears tracePath before
unlinking, so a later test that never started a trace no longer unlinks an
already-removed file and fails with ENOENT.
---
 .../src/tests/experience/server-side-rendering.test.ts     | 7 +++++--
 packages/integration-tests/src/ui-helpers/trace.ts         | 6 +++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
index 5b45b569cc70..cfee78e6a071 100644
--- a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
+++ b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
@@ -2,7 +2,7 @@ import { demoAppApplicationId, fullSignInExperienceGuard } from '@logto/schemas'
 import { z } from 'zod';
 
 import { updateSignInExperience } from '#src/api/sign-in-experience.js';
-import { demoAppUrl } from '#src/constants.js';
+import { demoAppUrl, logtoUrl } from '#src/constants.js';
 import { OrganizationApiTest } from '#src/helpers/organization.js';
 import ExpectExperience from '#src/ui-helpers/expect-experience.js';
 import { Trace } from '#src/ui-helpers/trace.js';
@@ -135,7 +135,10 @@ describe('server-side rendering', () => {
     it('should not inline custom CSS in preview mode', async () => {
       await updateSignInExperience({ customCss });
       const experience = new ExpectExperience(await browser.newPage());
-      await experience.navigateTo(`${demoAppUrl.href}?preview=true`);
+      // Hit the experience entry directly with `?preview=true`, mirroring how the console preview
+      // iframe loads it. Going through the demo app instead would OIDC-redirect to `/sign-in` and
+      // drop the query param, so the server would never see preview mode.
+      await experience.navigateTo(new URL('/sign-in?preview=true', logtoUrl).href);
 
       // Preview is driven live by the console iframe via postMessage; the server must not inline saved CSS.
       const html = await experience.page.content();
diff --git a/packages/integration-tests/src/ui-helpers/trace.ts b/packages/integration-tests/src/ui-helpers/trace.ts
index fc37aeda5edf..7cd245408a2c 100644
--- a/packages/integration-tests/src/ui-helpers/trace.ts
+++ b/packages/integration-tests/src/ui-helpers/trace.ts
@@ -48,7 +48,11 @@ export class Trace {
 
   async cleanup() {
     if (this.tracePath) {
-      await fs.unlink(this.tracePath);
+      // Clear the path first so a repeated cleanup (e.g. a later test in the same suite that never
+      // started a trace) is a no-op instead of unlinking an already-removed file.
+      const { tracePath } = this;
+      this.tracePath = undefined;
+      await fs.unlink(tracePath);
     }
   }
 }

From 4cc1db3c9987ff9a4aa530fd1e7a1e106d45200a Mon Sep 17 00:00:00 2001
From: Mingqing Ye <darcyye0129@gmail.com>
Date: Thu, 4 Jun 2026 18:03:58 +0800
Subject: [PATCH 11/11] fix(core): harden SSR serialization and test hygiene
 from PR review

- Escape U+2028/U+2029 in serializeSsrData so the inline Object.freeze(...)
  expression stays parseable in pre-ES2019 engines
- Use fs.rm({ force: true }) in Trace.cleanup so a missing file is a no-op
  while real FS errors still surface
- Close pages in finally in the custom-CSS SSR integration tests to avoid
  leaking pages on assertion failure
- Anchor the SSR JSON extraction regex on the trailing ); and assert the
  match before parsing
---
 .../src/middleware/koa-experience-ssr.test.ts | 36 ++++++++++++++++-
 .../core/src/middleware/koa-experience-ssr.ts |  8 +++-
 .../experience/server-side-rendering.test.ts  | 40 +++++++++++--------
 .../integration-tests/src/ui-helpers/trace.ts |  5 ++-
 4 files changed, 67 insertions(+), 22 deletions(-)

diff --git a/packages/core/src/middleware/koa-experience-ssr.test.ts b/packages/core/src/middleware/koa-experience-ssr.test.ts
index 1ed8775f0c08..7c6c37680a30 100644
--- a/packages/core/src/middleware/koa-experience-ssr.test.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.test.ts
@@ -74,7 +74,9 @@ describe('koaExperienceSsr()', () => {
 
     // Extract and parse the injected JSON rather than comparing against a bare `JSON.stringify`, which
     // would diverge from `serializeSsrData`'s `<`/`>`/`&` escaping the moment the mock gains such a char.
-    const serialized = /Object\.freeze\((?<json>.+)\)/.exec(ctx.body)?.groups?.json;
+    // Anchor on the trailing `);` so the greedy capture stops at the genuine `Object.freeze(...)` close.
+    const serialized = /Object\.freeze\((?<json>.+)\);/.exec(ctx.body)?.groups?.json;
+    expect(serialized).toBeTruthy();
     expect(JSON.parse(serialized!)).toEqual({
       signInExperience: { data: mockSignInExperience },
       phrases: { lng: 'en', data: phrases },
@@ -173,7 +175,7 @@ describe('koaExperienceSsr()', () => {
 
     // The `\uXXXX` escapes must decode back to the original characters when parsed, so the escaping is
     // safe (no data corruption) while still preventing tag breakout.
-    const serialized = /Object\.freeze\((?<json>.+)\)/.exec(ctx.body)?.groups?.json;
+    const serialized = /Object\.freeze\((?<json>.+)\);/.exec(ctx.body)?.groups?.json;
     expect(serialized).toBeTruthy();
 
     // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- test parses known JSON
@@ -181,6 +183,36 @@ describe('koaExperienceSsr()', () => {
     expect(parsed.signInExperience.data.customContent['/sign-in']).toBe('<a>&</a>');
   });
 
+  it('should escape U+2028/U+2029 so the inline `Object.freeze(...)` expression stays parseable', async () => {
+    // U+2028 (LINE SEPARATOR) and U+2029 (PARAGRAPH SEPARATOR) are valid in JSON but are line
+    // terminators in a JS string literal, so left literal they would break the embedded expression.
+    // Build the value from code points so this source file stays pure ASCII.
+    const original = `a${String.fromCodePoint(0x20_28)}b${String.fromCodePoint(0x20_29)}c`;
+    (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
+      { ...mockSignInExperience, customContent: { '/sign-in': original } }
+    );
+
+    const ctx = {
+      ...baseCtx,
+      path: '/',
+      body: `<head><script>const logtoSsr=${ssrPlaceholder};</script></head>`,
+    };
+    await koaExperienceSsr(tenant.libraries, tenant.queries)(ctx, next);
+
+    // The literal separators must not survive in the emitted source, but their escapes must.
+    expect(ctx.body).not.toContain(String.fromCodePoint(0x20_28));
+    expect(ctx.body).not.toContain(String.fromCodePoint(0x20_29));
+    expect(ctx.body).toContain('\\u2028');
+    expect(ctx.body).toContain('\\u2029');
+
+    // The escaped form must still decode back to the original once parsed.
+    const serialized = /Object\.freeze\((?<json>.+)\);/.exec(ctx.body)?.groups?.json;
+    expect(serialized).toBeTruthy();
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- test parses known JSON
+    const parsed = JSON.parse(serialized!);
+    expect(parsed.signInExperience.data.customContent['/sign-in']).toBe(original);
+  });
+
   it('should not inline custom CSS in preview mode', async () => {
     (tenant.libraries.signInExperiences.getFullSignInExperience as jest.Mock).mockResolvedValueOnce(
       { ...mockSignInExperience, customCss: '.foo { color: red; }' }
diff --git a/packages/core/src/middleware/koa-experience-ssr.ts b/packages/core/src/middleware/koa-experience-ssr.ts
index 5663203cec5f..840c9d564753 100644
--- a/packages/core/src/middleware/koa-experience-ssr.ts
+++ b/packages/core/src/middleware/koa-experience-ssr.ts
@@ -19,7 +19,13 @@ const serializeSsrData = (data: SsrData): string =>
   JSON.stringify(data)
     .replaceAll('<', '\\u003c')
     .replaceAll('>', '\\u003e')
-    .replaceAll('&', '\\u0026');
+    .replaceAll('&', '\\u0026')
+    // U+2028 (LINE SEPARATOR) and U+2029 (PARAGRAPH SEPARATOR) are valid inside JSON strings but are
+    // line terminators in a JavaScript string literal (pre-ES2019). Since this payload is embedded as a
+    // JS expression (`Object.freeze(...)`), leaving them literal can break parsing in older engines.
+    // Escape to their `\uXXXX` form, which JS decodes back to the original characters.
+    .replaceAll('\u2028', '\\u2028') // U+2028 LINE SEPARATOR
+    .replaceAll('\u2029', '\\u2029'); // U+2029 PARAGRAPH SEPARATOR
 
 /**
  * Create a middleware to prefetch the experience data and inject it into the HTML response. Some
diff --git a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
index cfee78e6a071..d1054cf1b7b9 100644
--- a/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
+++ b/packages/integration-tests/src/tests/experience/server-side-rendering.test.ts
@@ -123,28 +123,34 @@ describe('server-side rendering', () => {
     it('should inline custom CSS into the served <head> so it applies on the first paint', async () => {
       await updateSignInExperience({ customCss });
       const experience = new ExpectExperience(await browser.newPage());
-      await experience.navigateTo(demoAppUrl.href);
-
-      const html = await experience.page.content();
-      expect(html).toContain('data-custom-css');
-      expect(html).toContain(customCss);
-
-      await experience.page.close();
+      try {
+        await experience.navigateTo(demoAppUrl.href);
+
+        const html = await experience.page.content();
+        expect(html).toContain('data-custom-css');
+        expect(html).toContain(customCss);
+      } finally {
+        // Close in `finally` so a failed assertion/navigation does not leak the page across the suite.
+        await experience.page.close();
+      }
     });
 
     it('should not inline custom CSS in preview mode', async () => {
       await updateSignInExperience({ customCss });
       const experience = new ExpectExperience(await browser.newPage());
-      // Hit the experience entry directly with `?preview=true`, mirroring how the console preview
-      // iframe loads it. Going through the demo app instead would OIDC-redirect to `/sign-in` and
-      // drop the query param, so the server would never see preview mode.
-      await experience.navigateTo(new URL('/sign-in?preview=true', logtoUrl).href);
-
-      // Preview is driven live by the console iframe via postMessage; the server must not inline saved CSS.
-      const html = await experience.page.content();
-      expect(html).not.toContain('data-custom-css');
-
-      await experience.page.close();
+      try {
+        // Hit the experience entry directly with `?preview=true`, mirroring how the console preview
+        // iframe loads it. Going through the demo app instead would OIDC-redirect to `/sign-in` and
+        // drop the query param, so the server would never see preview mode.
+        await experience.navigateTo(new URL('/sign-in?preview=true', logtoUrl).href);
+
+        // Preview is driven live by the console iframe via postMessage; the server must not inline saved CSS.
+        const html = await experience.page.content();
+        expect(html).not.toContain('data-custom-css');
+      } finally {
+        // Close in `finally` so a failed assertion/navigation does not leak the page across the suite.
+        await experience.page.close();
+      }
     });
   });
 });
diff --git a/packages/integration-tests/src/ui-helpers/trace.ts b/packages/integration-tests/src/ui-helpers/trace.ts
index 7cd245408a2c..dc8afa101712 100644
--- a/packages/integration-tests/src/ui-helpers/trace.ts
+++ b/packages/integration-tests/src/ui-helpers/trace.ts
@@ -49,10 +49,11 @@ export class Trace {
   async cleanup() {
     if (this.tracePath) {
       // Clear the path first so a repeated cleanup (e.g. a later test in the same suite that never
-      // started a trace) is a no-op instead of unlinking an already-removed file.
+      // started a trace) is a no-op instead of unlinking an already-removed file. `force: true` makes
+      // a missing file a no-op too, while still surfacing real FS errors instead of swallowing them.
       const { tracePath } = this;
       this.tracePath = undefined;
-      await fs.unlink(tracePath);
+      await fs.rm(tracePath, { force: true });
     }
   }
 }