GithubHelp home page GithubHelp logo

Comments (6)

1aron avatar 1aron commented on April 27, 2024 1

Is there any reason to specifically encode these characters?

react/packages/react-dom/src/__tests__/quoteAttributeValueForBrowser-test.js

Lines 22 to 50 in 493610f

it('ampersand is escaped inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr="&" />);
expect(response).toMatch('<img data-attr="&amp;"/>');
});
it('double quote is escaped inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr={'"'} />);
expect(response).toMatch('<img data-attr="&quot;"/>');
});
it('single quote is escaped inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr="'" />);
expect(response).toMatch('<img data-attr="&#x27;"/>');
});
it('greater than entity is escaped inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr=">" />);
expect(response).toMatch('<img data-attr="&gt;"/>');
});
it('lower than entity is escaped inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr="<" />);
expect(response).toMatch('<img data-attr="&lt;"/>');
});
it('number is escaped to string inside attributes', () => {
const response = ReactDOMServer.renderToString(<img data-attr={42} />);
expect(response).toMatch('<img data-attr="42"/>');
});

from react.

Janelaxagh avatar Janelaxagh commented on April 27, 2024 1

@1aron
It seems to me that the best way to balance security and correctness in React is to use alternative styling methods, such as classes or inline styles, instead of CSS selectors that depend on attribute values. This avoids potential security issues associated with code injection, while at the same time providing more reliable and predictable style behavior.

from react.

Janelaxagh avatar Janelaxagh commented on April 27, 2024

It seems that you have a problem with character encoding when using renderToString in React v18.1.0. It automatically encodes special characters such as > in their HTML texts, which leads to incorrect configuration of CSS elements in your case.

This may be an undesirable change, perhaps if you use special characters in the class for styles or CSS selectors. Your class mt:0>section should not be automated in the mt:0&gt;section, as this may lead to an irreversible change in the structure.

You can address this issue by using dangerouslySetInnerHTML to output unescaped HTML characters:

import React from 'react';
import { renderToString } from 'react-dom/server';

export default function App() {
  // Use dangerouslySetInnerHTML to output unescaped HTML characters
  const htmlString = renderToString(
    <div dangerouslySetInnerHTML={{ __html: '<div class="mt:0>div"></div>' }}></div>
  );

  return <div dangerouslySetInnerHTML={{ __html: htmlString }}></div>;
}

from react.

1aron avatar 1aron commented on April 27, 2024

@Janelaxagh I understand that escapeHTML somehow prevents XSS, but does it seem legal to write decoded characters in attribute values? Sometimes, we will select the target element through the CSS attribute selector. Still, when the attribute value of the target element is encoded or decoded, the CSS rules that can be selected normally will become invalid.

I don't know how React balances correctness and safety.

from react.

1aron avatar 1aron commented on April 27, 2024

@Janelaxagh Thank you for your careful reply. I just discovered that we only need to decode the class name when getting it to keep the CSS selection consistent.

master-co/css@13e07c7#diff-4645721ad298aa15015081e24138aa708929aac26a0ad325b31735c8b04c7f1c

from react.

Janelaxagh avatar Janelaxagh commented on April 27, 2024

@1aron
It's great that you found a solution! This is a great find and will definitely make working with CSS fetching easier.

from react.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.