search

snabbdom / snabbdom-to-html

Render Snabbdom Vnode’s to HTML strings
94 stars 21 forks source link

Escape HTML in the text content #38

Closed rbelouin closed 6 years ago

rbelouin commented 6 years ago

An issue I've noticed recently:

const html = toHTML(h('div', '<p></p>'));
console.log(html);

// outputs: <div><p></p></div>

As you can see, the HTML characters of the text content of the div tag aren't escaped properly. This isn't consistent with snabbdom's behavior and this is a security flaw: if anyone is using this library in production to render pages, they might be vulnerable to XSS attacks.

Issue #36 seems to be related.

zkochan commented 6 years ago

Just a note, even though this was a bug on snabbdom-to-html end, this IS a breaking change. I know devs that were using it as a feature, passing raw html as text

acstll commented 6 years ago

Thank you @rbelouin , it's perfect. I'm merging and publishing tomorrow.

I'll bump major then, I agree @zkochan

acstll commented 6 years ago

Published 5.0.0, thanks again @rbelouin for such an impeccable PR!

rbelouin commented 6 years ago

No worries!

caramboleyo commented 1 year ago

Is there a way to bypass escape? I am inserting a stringified JSON-Object in a script tag and now all " are \"

EDIT: I solved in in a fork by adding UNESCAPED_ELEMENTS to elements.js and an escapeText bool to renderString. I can now define tags whos children are not being escaped: https://github.com/snabbdom/snabbdom-to-html/commit/163abbf7f312d67641889f93950398f0dbd1cd54