search

vercel / react-tweet

Embed tweets in your React application.
https://react-tweet.vercel.app
MIT License
1.61k stars 86 forks source link

HTML entities not decoded in output #29

Closed tywayne closed 1 year ago

tywayne commented 1 year ago

Tweet bodies that contain encoded HTML entities are not being decoded in the rendered output.

Example API response: https://cdn.syndication.twimg.com/tweet-result?id=1631503729143738375

Link to that tweet in the example app: http://localhost:3000/dark/1631503729143738375

Screenshot of the output, the code snippet is rendering > instead of >:

Screenshot 2023-03-04 at 10 09 35 PM

Potential Solution

Depending on whether you assume the response from the API is trusted/santized, this could be as easy as using dangerouslySetInnerHtml on the <span> in TweetBody, something like this:

return <span key={i} dangerouslySetInnerHTML={{__html: text }} />

instead of the current line https://github.com/vercel-labs/next-tweet/blob/e48dceae3fe8bbffd4c877fa8d8b56da2d12f9ce/packages/next-tweet/src/tweet-body.tsx#L105

Happy to put up a quick PR with this change, just didn't know for sure if you'd want/need to do any additional sanitation before setting it dangerously.

lfades commented 1 year ago

I think using dangerouslySetInnerHTML is okay, feel free to make a PR!