search

jtart / react-universal-app

Library for building a single-page application with Universal React component(s) and React Router.
MIT License
14 stars 2 forks source link

Inline `<script>` in App breaks react-universal-app #79

Open ChrisBAshton opened 5 years ago

ChrisBAshton commented 5 years ago

react-universal-app uses this mechanism:

<script>
  window.__APP_DATA__ = data;
</script>

If data contains any <script> tag - even inside a string, and even if the value isn't used anywhere - the app crashes.

const data = {
  foo: 'bar',
  baz: '<script>console.log("hai")</script>',
};
jtart commented 5 years ago

The basic example stringifies then replaces any < with its unicode character, which works when a script is added to the page (I just tested it). I would recommend doing that; it also helps prevent script injection attacks.

ChrisBAshton commented 5 years ago

Thanks @jtart - will take a look.