-
Notifications
You must be signed in to change notification settings - Fork 47.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add trusted types to react on client side (#16157)
* Add trusted types to react on client side * Implement changes according to review * Remove support for trusted URLs, change TrustedTypes to trustedTypes * Add support for deprecated trusted URLs * Apply PR suggesstions * Warn only once, remove forgotten check, put it behind a flag * Move comment * Fix PR comments * Fix html toString concatenation * Fix forgotten else branch * Fix PR comments
- Loading branch information
Showing
18 changed files
with
259 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -149,5 +149,6 @@ module.exports = { | |
spyOnProd: true, | ||
__PROFILE__: true, | ||
__UMD__: true, | ||
trustedTypes: true, | ||
}, | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
101 changes: 101 additions & 0 deletions
101
packages/react-dom/src/client/__tests__/trustedTypes-test.internal.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
describe('when Trusted Types are available in global object', () => { | ||
let React; | ||
let ReactDOM; | ||
let ReactFeatureFlags; | ||
let container; | ||
|
||
beforeEach(() => { | ||
container = document.createElement('div'); | ||
window.trustedTypes = { | ||
isHTML: () => true, | ||
isScript: () => false, | ||
isScriptURL: () => false, | ||
}; | ||
ReactFeatureFlags = require('shared/ReactFeatureFlags'); | ||
ReactFeatureFlags.enableTrustedTypesIntegration = true; | ||
React = require('react'); | ||
ReactDOM = require('react-dom'); | ||
}); | ||
|
||
afterEach(() => { | ||
delete window.trustedTypes; | ||
ReactFeatureFlags.enableTrustedTypesIntegration = false; | ||
}); | ||
|
||
it('should not stringify trusted values', () => { | ||
const trustedObject = {toString: () => 'I look like a trusted object'}; | ||
class Component extends React.Component { | ||
state = {inner: undefined}; | ||
render() { | ||
return <div dangerouslySetInnerHTML={{__html: this.state.inner}} />; | ||
} | ||
} | ||
|
||
const isHTMLSpy = jest.spyOn(window.trustedTypes, ['isHTML']); | ||
const instance = ReactDOM.render(<Component />, container); | ||
instance.setState({inner: trustedObject}); | ||
|
||
expect(container.firstChild.innerHTML).toBe(trustedObject.toString()); | ||
expect(isHTMLSpy).toHaveBeenCalledWith(trustedObject); | ||
}); | ||
|
||
describe('dangerouslySetInnerHTML in svg elements in Internet Explorer', () => { | ||
let innerHTMLDescriptor; | ||
|
||
// simulate svg elements in Internet Explorer which don't have 'innerHTML' property | ||
beforeEach(() => { | ||
innerHTMLDescriptor = Object.getOwnPropertyDescriptor( | ||
Element.prototype, | ||
'innerHTML', | ||
); | ||
delete Element.prototype.innerHTML; | ||
Object.defineProperty( | ||
HTMLDivElement.prototype, | ||
'innerHTML', | ||
innerHTMLDescriptor, | ||
); | ||
}); | ||
|
||
afterEach(() => { | ||
delete HTMLDivElement.prototype.innerHTML; | ||
Object.defineProperty( | ||
Element.prototype, | ||
'innerHTML', | ||
innerHTMLDescriptor, | ||
); | ||
}); | ||
|
||
it('should log a warning', () => { | ||
class Component extends React.Component { | ||
render() { | ||
return <svg dangerouslySetInnerHTML={{__html: 'unsafe html'}} />; | ||
} | ||
} | ||
expect(() => { | ||
ReactDOM.render(<Component />, container); | ||
}).toWarnDev( | ||
"Warning: Using 'dangerouslySetInnerHTML' in an svg element with " + | ||
'Trusted Types enabled in an Internet Explorer will cause ' + | ||
'the trusted value to be converted to string. Assigning string ' + | ||
"to 'innerHTML' will throw an error if Trusted Types are enforced. " + | ||
"You can try to wrap your svg element inside a div and use 'dangerouslySetInnerHTML' " + | ||
'on the enclosing div instead.', | ||
); | ||
}); | ||
}); | ||
|
||
it('should warn once when rendering script tag in jsx on client', () => { | ||
expect(() => { | ||
ReactDOM.render(<script>alert("I am not executed")</script>, container); | ||
}).toWarnDev( | ||
'Warning: Encountered a script tag while rendering React component. ' + | ||
'Scripts inside React components are never executed when rendering ' + | ||
'on the client. Consider using template tag instead ' + | ||
'(https://developer.mozilla.org/en-US/docs/Web/HTML/Element/template).\n' + | ||
' in script (at **)', | ||
); | ||
|
||
// check that the warning is print only once | ||
ReactDOM.render(<script>alert("I am not executed")</script>, container); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/** | ||
* Copyright (c) Facebook, Inc. and its affiliates. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
* | ||
* @flow | ||
*/ | ||
|
||
import type {TrustedValue} from './ToStringValue'; | ||
|
||
/** | ||
* Set attribute for a node. The attribute value can be either string or | ||
* Trusted value (if application uses Trusted Types). | ||
*/ | ||
export function setAttribute( | ||
node: Element, | ||
attributeName: string, | ||
attributeValue: string | TrustedValue, | ||
) { | ||
node.setAttribute(attributeName, (attributeValue: any)); | ||
} | ||
|
||
/** | ||
* Set attribute with namespace for a node. The attribute value can be either string or | ||
* Trusted value (if application uses Trusted Types). | ||
*/ | ||
export function setAttributeNS( | ||
node: Element, | ||
attributeNamespace: string, | ||
attributeName: string, | ||
attributeValue: string | TrustedValue, | ||
) { | ||
node.setAttributeNS(attributeNamespace, attributeName, (attributeValue: any)); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.