Closed Harry-Ross closed 1 year ago
Update: In my investigation, I discovered that DOMPurify does not play well with Next.js's hydration strategies - as it can only run on the browser. I also tried to use isomorphic-dompurify to no avail - throws a bunch of Tina errors.
I plan to use the xss package, as it runs on both server and client.
As per my conversation with @amankumarrr, I noticed that the use of
ReactDOMServer.renderToString
inconsulting/[filename].tsx
andconsulting/video-production/[filename].tsx
is vulnerable to XSS attacks:Figure: script tag input in the call to action input box
Figure: the script running on page load