fix(ssr): address possible xss vector

src/platforms/web/server/modules/attrs.js

@@ -50,7 +50,7 @@ export function renderAttr (key: string, value: string): string {
   } else if (isEnumeratedAttr(key)) {
     return ` ${key}="${isFalsyAttrValue(value) || value === 'false' ? 'false' : 'true'}"`
   } else if (!isFalsyAttrValue(value)) {
-    return ` ${key}="${typeof value === 'string' ? cachedEscape(value) : value}"`
+    return ` ${key}="${cachedEscape(String(value))}"`
   }
   return ''
 }

test/ssr/ssr-string.spec.js

@@ -821,6 +821,19 @@ describe('SSR: renderToString', () => {
     })
   })
 
+  it('should prevent script xss with v-bind object syntax + array value', done => {
+    renderVmWithOptions({
+      data: {
+        test: ['"><script>alert(1)</script><!--"']
+      },
+      template: `<div v-bind="{ test }"></div>`
+    }, res => {
+      console.log(res)
+      expect(res).not.toContain(`<script>alert(1)</script>`)
+      done()
+    })
+  })
+
   it('v-if', done => {
     renderVmWithOptions({
       template: `