3

Let's say I write a webapp using React only, never touching the DOM directly. I never use dangerouslySetInnerHTML. Do I still have to worry about XSS? Or in other words, are there any other unsafe usages of React?

It would be very nice if the only thing I had to remember to keep myself safe from XSS was to not use a property with the word dangerous in it's name. But is it that simple?

I'm not counting the risk of bugs in the React engine itself here. Neither am I interested in things not directly related to React, such as the common store hydration mistake.

Anders
  • 64,406
  • 24
  • 178
  • 215

1 Answers1

2

I wouldn't say "Safe". ReactJS is reasonably safe by design as long as you use it the way it’s meant to be used. Among other things, do not use dangerouslySetInnerHTML.

However, there are other ways a dedicated attacker can find a way to bypass the XSS roadblocks on your app. Some of them are listed in this DailyJS article:

  • Creating React components from user-supplied objects;
  • Rendering links with user-supplied href attributes, or other HTML tags with injectable attributes (link tag, HMTL5 imports);
  • Explicitly setting the dangerouslySetInnerHTML prop of an element;
  • Passing user-supplied strings to eval().

The safest stance to take would be to Trust but Verify. By default, you must not trust ANY user input. As much as React will take care of most of the security for you client side, make sure you also implement security checks server side as well on ALL user inputs/functions.

Anders
  • 64,406
  • 24
  • 178
  • 215
geforceGTX480
  • 91
  • 7