Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid using dangerous JSX properties #17

Open
philipjonsen opened this issue Sep 13, 2023 · 0 comments
Open

Avoid using dangerous JSX properties #17

philipjonsen opened this issue Sep 13, 2023 · 0 comments

Comments

@philipjonsen
Copy link

DESCRIPTION
Dangerous properties in React are those whose behavior is known to be a common source of application vulnerabilities. The properties names clearly indicate they are dangerous and should be avoided unless great care is taken.

dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack. So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it’s dangerous.

BAD PRACTICE

import React from 'react';

const Hello = <div dangerouslySetInnerHTML={{ __html: "Hello World" }}>;

RECOMMENDED

import React from 'react';

const Hello =

Hello World
;

Dangerous property 'dangerouslySetInnerHTML' found
src/containers/Profile/Posts/Comments.js

      </div>
      <div className="info">
        <h3>{name}</h3>
        <span dangerouslySetInnerHTML={renderHtml(content)} />
        <div className="time">
          <time>{time}</time>
        </div>

Dangerous property 'dangerouslySetInnerHTML' found
src/containers/Profile/Posts/Comments.js

      </div>
      <div className="info">
        <h3>{name}</h3>
        <span dangerouslySetInnerHTML={renderHtml(content)} />
        <div className="time">
          <time>{time}</time>
          <button type="button" onClick={handleLike}>

Dangerous property 'dangerouslySetInnerHTML' found
src/containers/Profile/Posts/Posts.js

        {newData.type === 'video' && (
          <div
            className="video-container"
            dangerouslySetInnerHTML={renderHtml(newData.video)}
          ></div>
        )}
      </div>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant