Open bryanchen-d opened 4 years ago
Transferring this to nteract/outputs.
The VDOM transform doesn't sanitize outputs. The reason the code isn't executed is because VDOM inserts elements into the UI using React's React.createElement
API which inserts the element into React's virtual DOM, which is then copied to the browser's DOM. As a result, the script is never actually executed.
Application or Package Used @nteract/core
I'm evaluating if there is any XSS risks by turning on the VDOM transform, code like
would run, however the script is not executed, I am wondering if the content of VDOM object gets sanitized?