Coder Social home page Coder Social logo

Comments (2)

zpao avatar zpao commented on April 28, 2024

Eh, it's just an example and not meant to be a definitive way to use this. The dynamic example isn't officially supported as a pattern anyway. Appreciate the vigilance though :)

from express-react-views.

Alexendoo avatar Alexendoo commented on April 28, 2024

@zpao I found this through a discussion with somebody who used the same technique in Html.js to escape in their own small templating function (they felt that ejs/etc was overkill)

When I pointed out that their function was vulnerable to XSS they linked me to where they adapted it from:

express-react-views/examples/dynamic/views/Html.js

Lines 12 to 51 in 8fdfa85

/**
* re-render the content as json,
* for client-side app initialization
*
* NOTE on XSS prevention:
*
* This text will be placed into a script tag.
* It cannot be escaped,
* because it is intended to be raw javascript.
* Were the data object to contain the string, "</script>",
* the script tag would terminate prematurely.
* And two bad things would happen.
*
* 1. The client-side react application would not work.
* 2. A second script tag could then run arbitrary javascript.
*
* The former sucks a little but the latter sucks a lot.
* It would pwn you, game over, the site is no longer yours.
* There are three ways to thwart this scenario and you should do all of them:
*
* 1. Scrub input from users.
* Don't even let them enter data that is known to be potentially harmful.
* 2. Use a templating library that renders text by default.
* React does this, so YES!
* 3. Whenever you have to write raw user content into the document,
* block any content from breaking the current context.
*
* The third is what's going on with the `replace` function below.
* Because we're in a script tag context,
* we cannot allow the closing tag, "</script>", in our output.
* This is an old trick that breaks up the word "script" into a string contatenation.
* It works here because json always uses double quotes to escape strings.
*
* Properly escaping user data for raw output in html is tricky business.
* Whenever possible, avoid it.
* If avoidance is impossible,
* know what you are doing and good luck.
*/
var initScript =
'main(' + JSON.stringify(data).replace(/script/g, 'scr"+"ipt') + ')';

They said they trusted it to be correct, which is a completely understandable. It has a convincing comment and is hosted under https://github.com/reactjs

If it's unsupported I'd recommend removing the example, since it's rather unsafe

from express-react-views.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.