Comments (22)
Let's get to this by the weekend, @alexfedoseev, @samnang.
from react_on_rails.
@alexfedoseev let's have some discussion on monday when you get up.
from react_on_rails.
@samnang 👍
from react_on_rails.
This is probably NOT an issue for the following reason:
We use Rails to_json which does the encoding.
https://github.com/rails/rails/blob/master/activesupport/lib/active_support/json/encoding.rb#L51-51
private
# Rails does more escaping than the JSON gem natively does (we
# escape \u2028 and \u2029 and optionally >, <, & to work around
# certain browser problems).
ESCAPED_CHARS = {
"\u2028" => '\u2028',
"\u2029" => '\u2029',
'>' => '\u003e',
'<' => '\u003c',
'&' => '\u0026',
}
ESCAPE_REGEX_WITH_HTML_ENTITIES = /[\u2028\u2029><&]/u
ESCAPE_REGEX_WITHOUT_HTML_ENTITIES = /[\u2028\u2029]/u
# This class wraps all the strings we see and does the extra escaping
class EscapedString < String #:nodoc:
def to_json(*)
if Encoding.escape_html_entities_in_json
super.gsub ESCAPE_REGEX_WITH_HTML_ENTITIES, ESCAPED_CHARS
else
super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
end
end
def to_s
self
end
end
HOWEVER, we do support passing a string as a param of the JSON.
- Would a rails user convert an object to JSON without using the rails way?
- Should we require the passing of a string to pass an extra param saying that it's escaped.
I'm researching this a bit more.
The big hazard is that somebody will use JSON.generate (Ruby stdlib) rather than Rails to_json.
from react_on_rails.
I just pushed shakacode/react-webpack-rails-tutorial#108, which shows how jBuilder will create the JSON string.
This is a sample result. Note how symbols like < are encoded.
//<![CDATA[
(function() {
window.__appData0__ = [{"id":63,"author":"aaa","text":"dddd","created_at":"2015-09-21T22:44:33.602Z","updated_at":"2015-09-21T22:44:33.602Z"},{"id":64,"author":"afaaf","text":"ffffff","created_at":"2015-09-27T18:20:20.713Z","updated_at":"2015-09-27T18:20:20.713Z"},{"id":65,"author":"afaaf","text":"**afafafa**","created_at":"2015-09-27T18:20:29.251Z","updated_at":"2015-09-27T18:20:29.251Z"},{"id":66,"author":"Justin","text":"\u003c/script\u003e\u003cscript\u003ealert(\"WTF\");\u003c/script\u003e","created_at":"2015-10-04T22:53:12.373Z","updated_at":"2015-10-04T22:53:12.373Z"},{"id":67,"author":"JG","text":"' some \" \" ' etc.","created_at":"2015-10-04T23:09:51.375Z","updated_at":"2015-10-04T23:09:51.375Z"},{"id":68,"author":"aaa","text":"dddd","created_at":"2015-10-05T01:49:23.188Z","updated_at":"2015-10-05T01:49:23.188Z"},{"id":69,"author":"ddd","text":"xxxxxxx","created_at":"2015-10-05T01:50:03.228Z","updated_at":"2015-10-05T01:50:03.228Z"},{"id":70,"author":"ddd","text":"cccccccc","created_at":"2015-10-05T01:50:22.336Z","updated_at":"2015-10-05T01:50:22.336Z"},{"id":71,"author":"addddd","text":"aaaa","created_at":"2015-10-05T01:59:15.763Z","updated_at":"2015-10-05T01:59:15.763Z"}];
ReactOnRails.clientRenderReactComponent({
componentName: 'App',
domId: 'App-react-component-0',
propsVarName: '__appData0__',
props: window.__appData0__,
trace: true,
generatorFunction: true,
expectTurboLinks: true
});
})();
//]]>
from react_on_rails.
So the question is whether or not we should check the String (not Hash) to see if there might be some non-escaped characters. Maybe we should always escape unless an option is set? That seems like a reasonable solution, as we could put the option in the global configuration file for a default.
Maybe the option could be:
escape_javascript: true
Or we can always run this escape:
ESCAPED_CHARS = {
"\u2028" => '\u2028',
"\u2029" => '\u2029',
'>' => '\u003e',
'<' => '\u003c',
'&' => '\u0026',
}
ESCAPE_REGEX_WITH_HTML_ENTITIES = /[\u2028\u2029><&]/u
json_string.gsub(ESCAPE_REGEX_WITH_HTML_ENTITIES, ESCAPED_CHARS)
I'm just against doing this every time unless we can turn this off.
As I mentioned, somebody would have to be using a method like JSON.generate to get non-escaped JSON. Jbuilder, rails to_json all escape. Rails tries to keep everybody safe!
from react_on_rails.
Example of safe and non-safe json conversion
[24] (pry) main: 0> aa
{
:hello => "world",
:free => "of charge",
"script" => "<script>alert(\"yo\");</script>",
"<script>" => "<script>alert(\"yo\");</script>"
}
[25] (pry) main: 0> non_safe = JSON.generate(aa)
"{\"hello\":\"world\",\"free\":\"of charge\",\"script\":\"<script>alert(\\\"yo\\\");</script>\",\"<script>\":\"<script>alert(\\\"yo\\\");</script>\"}"
[27] (pry) main: 0> safe = aa.to_json
"{\"hello\":\"world\",\"free\":\"of charge\",\"script\":\"\\u003cscript\\u003ealert(\\\"yo\\\");\\u003c/script\\u003e\",\"\\u003cscript\\u003e\":\"\\u003cscript\\u003ealert(\\\"yo\\\");\\u003c/script\\u003e\"}"
from react_on_rails.
My vote is for "always escape", this way we won't let the user shoot in his leg (and I don't see a reason why it might be turned off).
from react_on_rails.
@alexfedoseev My only concern is that it might be a slight performance disadvantage if sending over lots of data, and the developer is using the rails ways of creating the JSON strings.
Do you agree on the escaping rules I posted?
from react_on_rails.
Yep. Well in this case we can:
- set
escape_javascript: true
by default - in docs for this setting explain the differences between JSON methods and put a warning: don't turn this off unless you know what you're doing.
from react_on_rails.
I still feel having an option on
and off
performance is early optimization for me. I vote for "always scape" and use Rails ActiveSupport::JSON::encode
, so that we will take advantage from latest Rails security concern when they found something and they fix it.
from react_on_rails.
@mapreal19 Maybe you can take a crack at this? Let's consider @samnang's suggestion on the encoding. We'll put off making this optional until needed.
@samnang is this the method that we need:
https://github.com/rails/activesupport-json_encoder/blob/master/lib/active_support/json/encoding/active_support_encoder.rb#L76
It seems to do more than Rails is doing by default for to_json. Maybe a good thing?
from react_on_rails.
@justin808 why don't we just use their public interface method https://github.com/rails/rails/blob/master/activesupport/lib/active_support/json/encoding.rb#L19 instead of re-implementing their idea, so we don't need to care when they fix new security problem in future?
from react_on_rails.
Wow -- just found this article:
http://openwall.com/lists/oss-security/2015/06/16/17
Let's do this!
@andreasklinger, @korbin, @lfittl, You might not be affected by this in react-rails as it's using a data prop for browser side data. Hope you guys try out react_on_rails soon! Let's combine efforts!
from react_on_rails.
@justin808 it's a great benefit when we just using Rails api, so they will found Vulnerability quickly and fix them quickly as well.
from react_on_rails.
@samnang Sounds good.
from react_on_rails.
@samnang Let's you or I do this one on our next pairing session, between us or with some other community member.
from react_on_rails.
@justin808 sound good.
from react_on_rails.
FWIW, this does not work:
def sanitized_props_string(props)
props_string = props.is_a?(String) ? props : props.to_json
ActiveSupport::JSON.encode(props_string)
end
window.__helloWorldData0__ = "{\"helloWorldData\":{\"name\":\"Mr. Server Side Rendering\"}}";
because it escapes the quotes
from react_on_rails.
@justin808 @alexfedoseev I found the method that does exactly this job when param is string. It's json_escape
from react_on_rails.
See #59 -- that fixes this one.
from react_on_rails.
Related issue: rails/rails#15364
from react_on_rails.
Related Issues (20)
- How to disable sourcemap? HOT 1
- Update documentation based on Shakapacker 7 HOT 1
- Outdated link in the documentation redirects to Non-Found Page HOT 1
- Client rendering crashes when configuring `optimization.runtimeChunk` to `multiple` HOT 3
- Include Ruby 3 and node 18 to CI workflows HOT 2
- Pack generation runs with nil components_subdirectory HOT 3
- Concurrency performance HOT 3
- When server-bundle.js register a lot of server render components making the server render performance reduce big HOT 2
- Remove `request_digest` from `render_options` for version 14 HOT 1
- Convert spec/dummy/client to Typescript
- Change primary branch name from `master` to `main` HOT 2
- Add support for Vite
- Fix CI failure
- Server side rendering window behaves differently than Node.js? HOT 7
- React Component won't mount until all assets are loaded HOT 2
- Adjustment of Minimum Required Ruby Version for Versions 12.5.x HOT 5
- Webpacker constants still being referenced HOT 1
- Clarification and reorganization of test conditions in configuration specs HOT 2
- `react_on_rails:generate_packs` should add the import statement to the entry point even if the packs already exist
- Bump Rescript in examples due to build-time errors HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react_on_rails.