-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider not using dangerouslySetInnerHTML #16
Comments
Please note that I got some inspiration from this other issue: nfl/react-helmet#333 (comment) |
Yeah this package isn't particularly compatible with Helmet. We need Helmet goes around that, which is why this works for them, but not for vanilla react. It seems like part of your ask is to export |
For helmet, I often found that using its attributes section is easier, e.g.: <Helmet
htmlAttributes={{ lang: "en" }} //Example,
title="..."
script={[
{
type: "application/ld+json",
innerHTML: JSON.stringify(graph)
},
// ...
]}
/> Only thing is that you'd need to use a safe JsonLD replacer in that JSON.stringify as well. It might make sense to have a flavor of react-schemaorg that returns a |
Thank you for the quick answers! I was writing this issue while trying to understand XSS vulnerabilities more in-depth in the context of LD-JSON script tags. I think part of my ask would become exporting I'm also curious whether there was a reason for using In your latest example, are you suggesting using a replacer as well because |
Re: DOM Sanitize (and I think it also implicitly answers some of the other
questions): content inside of these script tags is JSON-LD which by spec
has its own definition of valid characters and what sanitization looks
like. You can see this in the text of the commit message that implemented
the XSS fix.
We're not really escaping HTML entities or sanitizing actually HTML/DOM
content per se.
But yes, if there's another library just to do this, we can use it. That
said, the spec is small enough that it's fairly reasonable to implement
inline.
|
Check out the readme, out of 1.1.0 there's now native support for Helmet via the |
Thank you for this package, I came across it following this issue: #9, as I'm still learning about
dangerouslySetInnerHTML
and XSS.I noticed that this package uses
dangerouslySetInnerHTML
:In order to modify
head
on the website I'm working on, I use https://github.com/staylor/react-helmet-async which is an improved fork of https://github.com/nfl/react-helmet, for React 16+.I noticed https://github.com/nfl/react-helmet readme has an example for
JSON-LD
which doesn't usedangerouslySetInnerHTML
:(please note that I added the first and last lines to make the example shorter)
I suppose in the case of https://github.com/google/react-schemaorg, such a syntax (not using
dangerouslySetInnerHTML
) wasn't followed because it has constraints:renderStatic
on the server for https://github.com/nfl/react-helmet, orHelmetProvider
for https://github.com/staylor/react-helmet-asyncI suppose https://github.com/google/react-schemaorg is aiming for simplicity and not using any
Helmet
package for this reason.If within a project we have the choice then what would you recommend please?
Option a)
Option b)
Thank you in advance for your time!
The text was updated successfully, but these errors were encountered: