Does VDOM support injecting a 'script' element?

nteract / outputs

A collection of React components for displaying rich Jupyter display objects

BSD 3-Clause "New" or "Revised" License

25 stars 19 forks source link

Does VDOM support injecting a 'script' element? #12

Open bryanchen-d opened 4 years ago

bryanchen-d commented 4 years ago

Application or Package Used @nteract/core

I'm evaluating if there is any XSS risks by turning on the VDOM transform, code like

VDOM({
    'tagName': 'script',
    'attributes':{},
    'children': "console.log(\"vdom\");alert(\"vdom\");"
})

would run, however the script is not executed, I am wondering if the content of VDOM object gets sanitized?

captainsafia commented 4 years ago

Transferring this to nteract/outputs.

The VDOM transform doesn't sanitize outputs. The reason the code isn't executed is because VDOM inserts elements into the UI using React's React.createElement API which inserts the element into React's virtual DOM, which is then copied to the browser's DOM. As a result, the script is never actually executed.