score:77
React automatically escapes variables for you... It prevents XSS injection via string HTML with malicious Javascript.. Naturally, inputs are sanitized along with this.
For instance let's say you have this string
var htmlString = '<img src="javascript:alert('XSS!')" />';
if you try to render this string in react
render() {
return (
<div>{htmlString}</div>
);
}
you will literally see on the page the whole string including the <span> element tag. aka in the browser you will see <img src="javascript:alert('XSS!')" />
if you view the source html you would see
<span>"<img src="javascript:alert('XSS!')" />"</span>
Here is some more detail on what an XSS attack is
React basically makes it so you can't insert markup unless you create the elements yourself in the render function... that being said they do have a function that allows such rendering its called dangerouslySetInnerHTML... here is some more detail about it
Edit:
Few things to note, there are ways to get around what React escapes. One more common way is when users define props to your component. Dont extend any data from user input as props!
score:330
ReactJS is quite safe by design since
- String variables in views are escaped automatically
- With JSX you pass a function as the event handler, rather than a string that can contain malicious code
so a typical attack like this will not work
const username = "<img onerror='alert(\"Hacked!\")' src='invalid-image' />";
class UserProfilePage extends React.Component {
render() {
return (
<h1> Hello {username}!</h1>
);
}
}
ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>but ...
❗❗❗Warning❗❗❗
There are still some XSS attack vectors that you need to handle yourself in React!
1. XSS via dangerouslySetInnerHTML
When you use dangerouslySetInnerHTML you need to make sure the content doesn't contain any javascript. React can't do here anything for you.
const aboutUserText = "<img onerror='alert(\"Hacked!\");' src='invalid-image' />";
class AboutUserComponent extends React.Component {
render() {
return (
<div dangerouslySetInnerHTML={{"__html": aboutUserText}} />
);
}
}
ReactDOM.render(<AboutUserComponent />, document.querySelector("#app"))<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>2. XSS via a.href attribute
Example 1: Using javascript:code
Click on "Run code snippet" -> "My Website" to see the result
const userWebsite = "javascript:alert('Hacked!');";
class UserProfilePage extends React.Component {
render() {
return (
<a href={userWebsite}>My Website</a>
)
}
}
ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>Example 2: Using base64 encoded data:
Click on "Run code snippet" -> "My Website" to see the result
const userWebsite = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGFja2VkISIpOzwvc2NyaXB0Pg==";
class UserProfilePage extends React.Component {
render() {
const url = userWebsite.replace(/^(javascript\:)/, "");
return (
<a href={url}>My Website</a>
)
}
}
ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>3. XSS via attacker controlled props
const customPropsControledByAttacker = {
dangerouslySetInnerHTML: {
"__html": "<img onerror='alert(\"Hacked!\");' src='invalid-image' />"
}
};
class Divider extends React.Component {
render() {
return (
<div {...customPropsControledByAttacker} />
);
}
}
ReactDOM.render(<Divider />, document.querySelector("#app"));<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>Here are more resources
Source: stackoverflow.com
Related Query
- What does it mean when they say React is XSS protected?
- What does it mean when you put elements under (or inside) a React component?
- What does type Props mean in react and typescript when used with Omit?
- What does ...rest mean in React JSX?
- What does @format mean in new react native App.js?
- React Source code: What does it mean by "real internal dependencies"
- What does the @ symbol mean in a react import statement
- Why does React resolve undefined/boolean/null to string only when they are variables?
- What does 'as' mean when importing a module?
- What does react test-utils expect when it refers to ReactComponent tree?
- What does forwardRef by a component in React dev tools mean and how can I use it?
- What does a null mean in React createElement()?
- What does it mean that (JSX) is a syntax extension to javascript in React
- Selectors in Redux - What does it mean for a React Component to know about redux state?
- React keys when handling dynamic children. What are they for? How are they used behind the scenes?
- What does it mean 'Legacy octal literals are not allowed in strict mode in react js'?
- Why am I getting these React PropType errors when I have specified what they are erroring about?
- React Component does not update when receiving an array of objects with reverse order. What can I do to make it updated?
- What does it mean when there are two functions with the 'arrow function indicator' between them?
- What does this piece of code mean when setting state?
- React fullstack architecture: When adding a react front-end to a node/express application, what aspects does react's state generally handle?
- What does "TypeError: props.data.map is not a function" mean and how to solve it in react
- What does this it mean when assigning to a { ... } object in javascript?
- What does && mean when used this way, and what is it called?
- What does static mean (do) in react
- What type to assign to children when they are all react components
- React functional stateless component, PureComponent, Component; what are the differences and when should we use what?
- What does npm install --legacy-peer-deps do exactly? When is it recommended / What's a potential use case?
- What happens when using this.setState multiple times in React component?
- Does React batch state update functions when using hooks?
More Query from same tag
- useHistory() react hook doesn't seem to trigger re-render
- How to Reset the dropdown values on form submission, Other Input values are getting Cleared in React Hooks
- Reactjs RichTextEditor Custom Toolbar in .tsx
- Browser Routers don`t render pages
- How to render the first tab link component of a child component in react nested routes?
- Unable to Pass multiple functions to onClick button in material UI
- Mapbox production error in console. "Uncaught ReferenceError: y is not defined"
- using TinyMCE Latex plugin for developers using TinyMCE React integration
- React.js remove item from Array in state syntax
- How to use material-ui inputBase to make select component?
- How to import method which is default exported from object in React?
- React update url base on action
- Why do we need dispatcher in Flux?
- React-router. History.replace without change location.key
- React Hooks - How to loop over dynamically created buttons to know which was clicked on?
- Making text field editable on button click
- How do you create a function progress bar in react?
- How to setState of an object inside an array in parent component from child component?
- NPM error when trying to launch react and nodejs
- ReactJs - Redux State is not updating in a dropdown in the child component
- React / Redux TypeError: Cannot call a class as a function
- How add Component with in react.js with reactHook?
- Testing React Functional Component with Hooks using Jest
- Unable to use hook in HOC for functional component
- Does useCallback accept an object from props in react?
- How to merging two lists in React?
- add custom prop to Component instance(not via parent) - react-data-grid
- How to use useEffect hook with the dependency list as a specific field in an array of objects?
- Argument of type '{...}' is not assignable to parameter of type 'Context<AuthProps>'
- React App: how to pass a variable to other file and read its value there
