XSS danger - Escaping needed after #3808 #3813

Conduitry · 2019-10-28T03:08:29Z

This should have its own issue so it's not forgotten about before the next alpha, because this is a nasty one.

No REPL link because this isn't released yet, but:

<div>{'<div onclick="alert(&quot;oh no&quot;)">click me</div>'}</div>

produces an actual div with an onclick since #3808. Less maliciously,

<div>{'&lt;'}</div>

renders as <. The text isn't getting escaped. I don't think there's currently any runtime escaping of entities in DOM code, but with these changes, we'll need some. If this proves too challenging, we should revert #3808 for now.

The text was updated successfully, but these errors were encountered:

tivac · 2019-10-28T03:12:40Z

Runtime escaping wasn't needed when everything was created as a text node. Is the slight code size decrease worth the increased risk and cost of runtime escaping?

Seems like something that needs benchmarking 🤔

Conduitry added the bug label Oct 28, 2019

tanhauhau mentioned this issue Oct 28, 2019

use textContent instead of innerHtml, preventing XSS #3816

Merged

Rich-Harris closed this as completed in #3816 Oct 28, 2019

tanhauhau mentioned this issue Nov 1, 2019

⚡️ Short Stories working on Svelte Shopee/shopee-react-knowledgeable#154

Closed

wgao19 mentioned this issue Nov 15, 2019

React Knowledgeable #53 - Nov 22, 2019 Shopee/shopee-react-knowledgeable#160

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS danger - Escaping needed after #3808 #3813

XSS danger - Escaping needed after #3808 #3813

Conduitry commented Oct 28, 2019

tivac commented Oct 28, 2019

XSS danger - Escaping needed after #3808 #3813

XSS danger - Escaping needed after #3808 #3813

Comments

Conduitry commented Oct 28, 2019

tivac commented Oct 28, 2019