XSS in tutorial example #11

bls · 2015-01-13T01:30:00Z

Hi,

There is a pretty obvious XSS in the example code -- a comment such as:

 <img onmouseover="alert(1);" src="http://www.frikipedia.es/images/thumb/d/d5/Asdsa-asdas.jpg/300px-Asdsa-asdas.jpg">

Will trigger JS exec.

There are some XSS "signposts" in the tutorial (Quote: "Remember: by using this feature you're relying on Showdown to be secure."), but ultimately this isn't setting a great example for new react developers.

Thanks - Blair.

The text was updated successfully, but these errors were encountered:

bls · 2015-01-13T01:33:34Z

Oh, it seems like this is related to this: showdownjs/showdown#70 ... (i.e, the comment regarding "relying on showdown to be secure" is spot on).

zpao · 2015-01-13T02:06:25Z

Meh, this is far and away not the point of the tutorial. It's not production code, it's a tutorial. And we call out that by using dangerouslySetInnerHTML you are explicitly opting out of React's protection.

Thanks for calling it out, but I don't think it's worth making an effort to fix.

Issues with the letter 's'

zpao closed this as completed Jan 13, 2015

shenxl pushed a commit to shenxl/react-tutorial that referenced this issue Sep 15, 2015

Merge pull request reactjs#11 from wbecker/patch-5

bd350d5

Issues with the letter 's'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS in tutorial example #11

XSS in tutorial example #11

bls commented Jan 13, 2015

bls commented Jan 13, 2015

zpao commented Jan 13, 2015

XSS in tutorial example #11

XSS in tutorial example #11

Comments

bls commented Jan 13, 2015

bls commented Jan 13, 2015

zpao commented Jan 13, 2015