Allow passing args in playground

[MitchTurner]

Linked Issues/PRs

#3140

Description

Still WIP because this

1. removes a OnceLock meant to improve performance. Might be worth the cost, but still can reconsider the approach
2. patches the generated html code... which we were already doing but its hacky

Checklist

• Breaking changes are clearly marked as such in the PR description and changelog
• New behavior is reflected in tests
• The specification matches the implemented behavior (link update PR if changes are needed)

Before requesting review

• I have reviewed the code myself
• I have created follow-up issues caused by this PR and linked them here

After merging, notify other teams

[Add or remove entries as needed]

• Rust SDK
• Sway compiler
• Platform documentation (for out-of-organization contributors, the person merging the PR will do this)
• Someone else?

[cursor]

PR Summary

Medium Risk
Touches the GraphiQL playground response generation and removes the previous HTML caching, which could affect performance and subtly change how the playground constructs request URLs.

Overview
GraphQL playground (/v1/playground) now preserves incoming query parameters and forwards them to the configured GraphQL and subscription endpoints.

This is implemented by accepting RawQuery, appending it to the endpoint URLs, and patching the generated GraphiQL HTML so window.location.search is applied when constructing the request URL; the prior OnceLock-based cached HTML is removed in favor of per-request rendering. A changelog entry is added under .changes/fixed/3184.md.

^{Written by Cursor Bugbot for commit 726032a. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Reflected XSS via unsanitized query string in HTML

Medium Severity

User-controlled raw query string from RawQuery is appended to the endpoint and passed directly into GraphiQLSource::build().endpoint(), which embeds it in a JavaScript context via a handlebars template. The Rust handlebars crate's default HTML escaping does not escape single quotes ('). Since the GraphiQL template likely uses single-quoted JavaScript string literals for the endpoint value, an attacker can craft a URL like /v1/playground?';alert(document.cookie);// to inject arbitrary JavaScript. Single quotes are valid in URL query components per RFC 3986 and are not percent-encoded by browsers, so the raw ' reaches the server and gets embedded in the HTML output without sanitization.

 

[cursor]

Commented-out code left from OnceLock removal

Low Severity

The line // let html = GRAPHQL_PLAYGROUND_HTML.get_or_init(|| { is a leftover comment from the removed OnceLock caching mechanism. This dead commented-out code adds noise and could confuse future readers about the intended design.