search

radix-ui / primitives

Radix Primitives is an open-source UI component library for building high-quality, accessible design systems and web apps. Maintained by @workos.
https://radix-ui.com/primitives
MIT License
15.91k stars 831 forks source link

Setting innerHTML of `<style>` elements will cause issues with trusted types #3117

Open terrymun opened 2 months ago

terrymun commented 2 months ago

Bug report

Current Behavior

There are several Radix UI Primitives that rely on dangerouslySetInnerHtml to inject content into <style> tags, for example the <ScrollArea> (see code) and <Select> (see code) components.

This causes issues in React apps that has set trusted types in their CSP headers.

p/s: Not all browsers support the trusted types CSP header yet.

Expected behavior

Using these components should not cause warnings in browsers that support trusted types CSP headers serving a React App with such headers set.

Suggested solution

Your environment

Software Name(s) Version
Radix Package(s) @radix-ui/react-scroll-area, @radix-ui/react-select Latest on both
React n/a 19 (via Next.js)
Browser Chrome 128
Assistive tech n/a n/a
Node n/a 20.14.0
pnpm n/a 9.10.0
Operating System macOS Sonoma (14.6.1)
prests commented 1 week ago

Hi,

I opened a discussion on improving Radix's style authoring to fix these CSP issues. Perhaps we can get more buy-in via more engagement: https://github.com/radix-ui/primitives/discussions/3130