Pull Request Template

Description

Fixes # XSS attack

If you use getHTML, some specific attack tags will not be processed because the execution precondition of escapeHtml is that the variable exists “<>” at the same time.

The following tags will not be escaped and the attack script will be executed: <img src=x onxss="" onerror="alert(document.cookie);"

Type of change

Please delete options that are not relevant.

[x] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] This change requires a documentation update

How Has This Been Tested?

Run unit test.

Add Test Case: None

CLAassistant commented 6 months ago

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

cwtuan commented 6 months ago

Thanks for your awesome work! This PR is done. Version: react-intl-universal@2.11.1

alibaba / react-intl-universal

Solve some XSS attack bypass scenarios #246

Pull Request Template

Description

Type of change

How Has This Been Tested?