Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Protection: href Object not being html escaped as a props #14160

Closed
KJ202 opened this issue Nov 8, 2018 · 3 comments
Closed

XSS Protection: href Object not being html escaped as a props #14160

KJ202 opened this issue Nov 8, 2018 · 3 comments

Comments

@KJ202
Copy link

KJ202 commented Nov 8, 2018

Do you want to request a feature or report a bug?
I would like to request a bug.

What is the current behavior?
From what I know, it is possible to inject object in props. However, this object seems to be html escaped when inserted into the DOM from my observation.

Thus, if I try to add an onerror=alert('XSS') in a <img {this.props.dangerousAtt /> tag through a props, this is gonna be escaped when rendered. Then, I realized that inserting an id='test' is totally possible with a props. So I thought only dangerous javascript injectable attributes are escaped such as onerror, onload, ...

However, I realized that the href=javascript:alert('1') is not escaped when inserted through a props. The javascript gets executed. Here, I thought it might a bug.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem. Your bug will get fixed much faster if we can run your code and it doesn't have dependencies other than React. Paste the link to your JSFiddle (https://jsfiddle.net/Luktwrdm/) or CodeSandbox (https://codesandbox.io/s/new) example below:

class App extends Component {
  render() {
  const href = {href: "javascript:alert('1')"};
    return (
      <div>
      <a {...href}>Click here</a>     
      </div>
    ); 
}

ReactDOM.render(<App />, document.getElementById('root'));

What is the expected behavior?

I would expect the href object to be escaped as a props, so being treated exactly like onerror or other javascript attributes.

Which versions of React, and which browser / OS are affected by this issue? Did this work in previous versions of React?
React version: 16.6.0
Browser: Chrome 70.0.3538.77
@drag0s
Copy link

drag0s commented Nov 16, 2018

If you use the search-box, you will see that this issue was already discussed multiple times.

Ex:

#12441
#3473

@KJ202
Copy link
Author

KJ202 commented Nov 16, 2018

Thank you for your answer. You're right, I have already seen some discussion about that, but I'm still wondering:
Why is React protecting cases like "onerror=code" and not "href=javascript:code" or more generally all the javascript:code cases ? Is there a reason behind the hood that explains that ?
I didn't find the answer in these previous posts.

@gaearon
Copy link
Collaborator

gaearon commented Nov 19, 2018

No particular reason except that some attack vectors are more dangerous / more common in code in practice, and we need to balance expressive code with security. Closing as duplicate of #12441.

@gaearon gaearon closed this as completed Nov 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gaearon @drag0s @KJ202