cain
commented
6 years ago Seems like all of the WordPress endpoints return HTML, it's not possible without using dangerouslySetInnerHTML
But you are right, some sanitizing needs to be done. https://github.com/cure53/DOMPurify works well.
davidsword
@uxcitizen noticed that there are several spots in this plugin using React's
dangerouslySetInnerHTML.https://github.com/Automattic/liveblog/search?q=dangerouslysetinnerhtml&unscoped_q=dangerouslysetinnerhtml
How many of those can we get rid of with refactoring?
Obviously some places are showing pre-rendered HTML from the server. In those cases, we should be sanitizing the HTML to strip out any unexpected or disallowed tags and attributes before passing it to
dangerouslySetInnerHTMLto reduce the potential for abuse.Ideally we have 0 of these calls, but for the ones we can't get away from, we should be sure everything is sanitized as far as possible.