Open koto opened 4 years ago
gaearon
commented
4 years ago We briefly chatted about this with @sebmarkbage and he suggested it's still a bit too risky to put in 17.0 (for which we have an RC) but might be okay to put in 17.1 if we're confident it's not a breaking change and if there is exhaustive browser testing.
koto
commented
4 years ago No worries. In the meantime I found some interactions of this change with the javascript: URL sanitization that has to be gated on the TT feature flag to be secure. I'll send a PR once ready anyhow, such that we can identify the issues early on.
stale[bot]
commented
3 years ago This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
koto
commented
3 years ago bump, looking for an answer to https://github.com/facebook/react/pull/19588#issuecomment-737201199.
koto
commented
3 years ago Friendly ping, cc @gaearon. This would probably need rebasing, but the open question is whether we should go with:
enableTrustedTypesIntegration feature flag. I feel the change is also bw-compatible, as reasoned in the PR description, ORenableTrustedTypesIntegration by default maybe? :) I'm happy to help with whatever's needed for either of the options, but the call on which option to take is yours :) FWIW, we just merged webpack 5 TT support which leaves only a tiny blocker and this issue for create-react-app apps to be TT compliant by default.
gaearon
commented
3 years ago From https://github.com/facebook/react/pull/19588:
Currently only IE<=9 does not stringify attributes, needing the workaround.
It's ok to drop IE9 by this point. If you have a fix that only breaks something in IE9 without adding extra logic let's merge it.
koto
commented
3 years ago It's ok to drop IE9 by this point. If you have a fix that only breaks something in IE9 without adding extra logic let's merge it.
Just done in #19588, it's ready for review.
melloware
commented
2 years ago @koto great work. This will be a huge addition to securing React.
woody-li
commented
1 year ago The PR was closed unexpected. It there any plan to implement it?
woody-li
commented
1 week ago The redo PR closed due to being stale as well.
This is regarding the discussion in #17773.
React-DOM currently stringifies DOM attribute values before passing them to
Element.setAttribute(NS)functions. This might be unnecessary, as these functions implicitly stringify attribute values on their own (WebIDL attributes typed asDOMString). It also makes it difficult to enforce Trusted Types in React applications, as the trusted type objects would be stringified before values reach the DOM sinks.Currently there is a
enableTrustedTypesIntegrationfeature flag to disable stringification, but it seems like this behavior can be safely removed for modern browsers with no backwards-compatibility problems. Let me explain:Attribute stringification was introduced in https://github.com/facebook/react/commit/b0455f46709fca94da0b6126b719d6dd07605e65, at that time to workaround a jsdom limitation (jsdom's DOM emulation didn't stringify on its own). IE 8/9 have a similar issue. If an object is passed to a DOM attribute, its value becomes
[object], ignoring any stringification rules defined in objects'toStringfunction.setAttributefunction does stringify the values via its IDL layer (runkit demo).p.title, and not one with a custom name).I propose to remove the stringification (similar to https://github.com/facebook/react/pull/17774) unless a browser bug is detected.
That way there is no spurious stringification, and the code branches with the workaround can be removed once buggy browsers stop being supported. My testing shows that only IE9 is affected. The change would be backwards-compatible. I'll send a PR with the proposed change.