Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added documentation about potential XSS in router.push #71645

Merged
merged 4 commits into from
Oct 30, 2024
Merged

Added documentation about potential XSS in router.push #71645

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3f60b40
Added documentation about potential XSS in router.push
aickin Oct 22, 2024
18feb4a
Added documentation about XSS vulnerability to router.replace
aickin Oct 23, 2024
1024026
Response to code review. Pulled note out into the "Good to know" sect…
aickin Oct 30, 2024
8f0c479
Merge branch 'canary' into add-router-push-doc
aickin Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/02-app/02-api-reference/04-functions/use-router.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,8 @@ export default function Page() {

## `useRouter()`

- `router.push(href: string, { scroll: boolean })`: Perform a client-side navigation to the provided route. Adds a new entry into the [browser’s history](https://developer.mozilla.org/docs/Web/API/History_API) stack.
- `router.replace(href: string, { scroll: boolean })`: Perform a client-side navigation to the provided route without adding a new entry into the [browser’s history stack](https://developer.mozilla.org/docs/Web/API/History_API).
- `router.push(href: string, { scroll: boolean })`: Perform a client-side navigation to the provided route. Adds a new entry into the [browser’s history](https://developer.mozilla.org/docs/Web/API/History_API) stack. Note that you must not send untrusted or unsanitized URLs to `router.push`, as this can open your site to cross-site scripting (XSS) vulnerabilities. For example, `javascript:` URLs sent to `router.push` will be executed in the context of your page.
- `router.replace(href: string, { scroll: boolean })`: Perform a client-side navigation to the provided route without adding a new entry into the [browser’s history stack](https://developer.mozilla.org/docs/Web/API/History_API). Note that you must not send untrusted or unsanitized URLs to `router.replace`, as this can open your site to cross-site scripting (XSS) vulnerabilities. For example, `javascript:` URLs sent to `router.replace` will be executed in the context of your page.
aickin marked this conversation as resolved.
Show resolved Hide resolved
- `router.refresh()`: Refresh the current route. Making a new request to the server, re-fetching data requests, and re-rendering Server Components. The client will merge the updated React Server Component payload without losing unaffected client-side React (e.g. `useState`) or browser state (e.g. scroll position).
- `router.prefetch(href: string)`: [Prefetch](/docs/app/building-your-application/routing/linking-and-navigating#2-prefetching) the provided route for faster client-side transitions.
- `router.back()`: Navigate back to the previous route in the browser’s history stack.
Expand Down
Loading