Skip to content

Commit

Permalink
[Fizz] escape <style> textContent as css (#28870)
Browse files Browse the repository at this point in the history
style text content has historically been escaped as HTML which is
non-sensical and often leads users to using dangerouslySetInnerHTML as a
matter of course. While rendering untrusted style rules is a security
risk React doesn't really provide any special protection here and
forcing users to use a completely unescaped API is if anything worse. So
this PR updates the style escaping rules for Fizz to only escape the
text content to ensure the tag scope cannot be closed early. This is
accomplished by encoding "s" and "S" as hexadecimal unicode
representation "\73 " and "\53 " respectively when found within a
sequence like </style>. We have to be careful to support casing here
just like with the script closing tag regex for bootstrap scripts.
  • Loading branch information
gnoff authored Apr 19, 2024
1 parent 4c34a7f commit aead514
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 2 deletions.
24 changes: 22 additions & 2 deletions packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js
Original file line number Diff line number Diff line change
Expand Up @@ -2669,6 +2669,26 @@ function pushStyle(
}
}

/**
* This escaping function is designed to work with style tag textContent only.
*
* While untrusted style content should be made safe before using this api it will
* ensure that the style cannot be early terminated or never terminated state
*/
function escapeStyleTextContent(styleText: string) {
if (__DEV__) {
checkHtmlStringCoercion(styleText);
}
return ('' + styleText).replace(styleRegex, styleReplacer);
}
const styleRegex = /(<\/|<)(s)(tyle)/gi;
const styleReplacer = (
match: string,
prefix: string,
s: string,
suffix: string,
) => `${prefix}${s === 's' ? '\\73 ' : '\\53 '}${suffix}`;

function pushStyleImpl(
target: Array<Chunk | PrecomputedChunk>,
props: Object,
Expand Down Expand Up @@ -2710,7 +2730,7 @@ function pushStyleImpl(
child !== undefined
) {
// eslint-disable-next-line react-internal/safe-string-coercion
target.push(stringToChunk(escapeTextForBrowser('' + child)));
target.push(stringToChunk(escapeStyleTextContent(child)));
}
pushInnerHTML(target, innerHTML, children);
target.push(endChunkForTag('style'));
Expand Down Expand Up @@ -2752,7 +2772,7 @@ function pushStyleContents(
child !== undefined
) {
// eslint-disable-next-line react-internal/safe-string-coercion
target.push(stringToChunk(escapeTextForBrowser('' + child)));
target.push(stringToChunk(escapeStyleTextContent(child)));
}
pushInnerHTML(target, innerHTML, children);
return;
Expand Down
50 changes: 50 additions & 0 deletions packages/react-dom/src/__tests__/ReactDOMFizzServer-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -4256,6 +4256,56 @@ describe('ReactDOMFizzServer', () => {
});
});

describe('<style> textContent escaping', () => {
it('the "S" in "</?[Ss]style" strings are replaced with unicode escaped lowercase s or S depending on case, preserving case sensitivity of nearby characters', async () => {
await act(() => {
const {pipe} = renderToPipeableStream(
<style>{`
.foo::after {
content: 'sSsS</style></Style></StYlE><style><Style>sSsS'
}
body {
background-color: blue;
}
`}</style>,
);
pipe(writable);
});
expect(window.getComputedStyle(document.body).backgroundColor).toMatch(
'blue',
);
});

it('the "S" in "</?[Ss]style" strings are replaced with unicode escaped lowercase s or S depending on case, preserving case sensitivity of nearby characters inside hoistable style tags', async () => {
await act(() => {
const {pipe} = renderToPipeableStream(
<>
<style href="foo" precedence="default">{`
.foo::after {
content: 'sSsS</style></Style></StYlE><style><Style>sSsS'
}
body {
background-color: blue;
}
`}</style>
<style href="bar" precedence="default">{`
.foo::after {
content: 'sSsS</style></Style></StYlE><style><Style>sSsS'
}
body {
background-color: red;
}
`}</style>
</>,
);
pipe(writable);
});
expect(window.getComputedStyle(document.body).backgroundColor).toMatch(
'red',
);
});
});

// @gate enableFizzExternalRuntime
it('supports option to load runtime as an external script', async () => {
await act(() => {
Expand Down

0 comments on commit aead514

Please sign in to comment.