Review usage of dangerouslySetInnerHTML #526
Milestone
Comments
|
Seems like all of the WordPress endpoints return HTML, it's not possible without using But you are right, some sanitizing needs to be done. https://github.com/cure53/DOMPurify works well. |
|
I'll look into this! |
|
@davidsword looks really good! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@uxcitizen noticed that there are several spots in this plugin using React's
dangerouslySetInnerHTML.https://github.com/Automattic/liveblog/search?q=dangerouslysetinnerhtml&unscoped_q=dangerouslysetinnerhtml
How many of those can we get rid of with refactoring?
Obviously some places are showing pre-rendered HTML from the server. In those cases, we should be sanitizing the HTML to strip out any unexpected or disallowed tags and attributes before passing it to
dangerouslySetInnerHTMLto reduce the potential for abuse.Ideally we have 0 of these calls, but for the ones we can't get away from, we should be sure everything is sanitized as far as possible.
The text was updated successfully, but these errors were encountered: