What does it mean when they say React is XSS protected?

by

ReactJS is quite safe by design since

  1. String variables in views are escaped automatically
  2. With JSX you pass a function as the event handler, rather than a string that can contain malicious code

so a typical attack like this will not work

const username = "<img onerror="alert(\"Hacked!\")" src="https://stackoverflow.com/questions/33644499/invalid-image" />";

class UserProfilePage extends React.Component {
  render() {
    return (
      <h1> Hello {username}!</h1>
    );
  }
}

ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>

but …

❗❗❗Warning❗❗❗

There are still some XSS attack vectors that you need to handle yourself in React!

1. XSS via dangerouslySetInnerHTML

When you use dangerouslySetInnerHTML you need to make sure the content doesn’t contain any javascript. React can’t do here anything for you.

const aboutUserText = "<img onerror="alert(\"Hacked!\");" src="https://stackoverflow.com/questions/33644499/invalid-image" />";

class AboutUserComponent extends React.Component {
  render() {
    return (
      <div dangerouslySetInnerHTML={{"__html": aboutUserText}} />
    );
  }
}

ReactDOM.render(<AboutUserComponent />, document.querySelector("#app"))
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>

2. XSS via a.href attribute

Example 1: Using javascript:code

Click on “Run code snippet” -> “My Website” to see the result

const userWebsite = "javascript:alert('Hacked!');";

class UserProfilePage extends React.Component {
  render() {
    return (
      <a href={userWebsite}>My Website</a>
    )
  }
}

ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>

Example 2: Using base64 encoded data:

Click on “Run code snippet” -> “My Website” to see the result

const userWebsite = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGFja2VkISIpOzwvc2NyaXB0Pg==";

class UserProfilePage extends React.Component {
  render() {
    const url = userWebsite.replace(/^(javascript\:)/, "");
    return (
      <a href={url}>My Website</a>
    )
  }
}

ReactDOM.render(<UserProfilePage />, document.querySelector("#app"));
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>

3. XSS via attacker controlled props

const customPropsControledByAttacker = {
  dangerouslySetInnerHTML: {
    "__html": "<img onerror="alert(\"Hacked!\");" src="https://stackoverflow.com/questions/33644499/invalid-image" />"
  }
};

class Divider extends React.Component {
  render() {
    return (
      <div {...customPropsControledByAttacker} />
    );
  }
}

ReactDOM.render(<Divider />, document.querySelector("#app"));
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/react/15.1.0/react-dom.min.js"></script>
<div id="app"></div>

Here are more resources

More Related Contents:

  1. Found 4 vulnerabilities on npm install
  2. Is there a “Best Practices” on designing an application written both in React and React-Native?
  3. Programmatically navigate using React router
  4. React setState not Updating Immediately
  5. My React Component is rendering twice because of Strict Mode
  6. How to set one component’s state from another component in React
  7. Template not provided using create-react-app
  8. What are “top level JSON arrays” and why are they a security risk?
  9. Component does not remount when route parameters change
  10. How to cancel a fetch on componentWillUnmount
  11. Handling async request with React, Redux and Axios?
  12. Use custom build output folder when using create-react-app
  13. What does ‘Only a ReactOwner can have refs.’ mean?
  14. react-router vs react-router-dom, when to use one or the other?
  15. Reactjs: Unexpected token ‘
  16. Is it safe to use $.support.cors = true; in jQuery?
  17. Warning: It looks like you’re using the development build of the Firebase JS SDK
  18. Pass multiple parameters to event handlers in React
  19. What is the difference between componentWillMount and componentDidMount in ReactJS?
  20. How to minimize the size of webpack’s bundle?
  21. Passing object as props to jsx
  22. create-react-app: how to use https instead of http?
  23. Disable ESLint that create-react-app provides
  24. Webpack & Typescript image import
  25. Passing values through React-Router v4
  26. How to import a .txt file from my source?
  27. How to listen to localstorage value changes in react?
  28. Why my render method is react called twice
  29. Put A Warning If Page Refresh in ReactJS
  30. React Router V6 – Error: useRoutes() may be used only in the context of a component

Leave a Comment