search

ericclemmons / react-resolver

Async rendering & data-fetching for universal React applications.
https://ericclemmons.github.io/react-resolver
Other
1.65k stars 52 forks source link

Remove XSS vulnerability from example #85

Closed donabrams closed 7 years ago

donabrams commented 9 years ago

Any data with a string including </script> when stringified may create an XSS security hole when rendering. See https://github.com/yahoo/serialize-javascript#user-content-automatic-escaping-of-html-characters.

ghost commented 9 years ago

+1

ericclemmons commented 9 years ago

I know this is probably best practice, but isn't this more of an edge-case that would be best in docs vs. all of the examples?

ghost commented 9 years ago

Better to instill best practices into code IMO. Most people will be referencing examples as they build and might get FUD if they see unrelated XSS vulnerabilities mentioned in the documentation.

ericclemmons commented 7 years ago

I agree with merging this, but this PR is too far behind & I've appointed new contributors.

If someone would like to merge it and isn't a contributor, ping me. I eagerly accept new owners.