There's a potential XSS problem when using this library with server-side-rendering (which is arguably one of the most prominent use-cases to render json-ld):
const React = require("react");
const express = require("express");
const ReactDOMServer = require("react-dom/server");
const { JsonLd } = require("react-schemaorg");
const dangerous = "</script><script>alert('xss')</script>";
express()
.get("/", (req, res) =>
res.send(
ReactDOMServer.renderToString(
<div>
<p>It's ok here: {dangerous}</p>
<p>
But not here: <JsonLd item={{ name: dangerous }} />
</p>
</div>
)
)
)
.listen(2000, () => console.log("Listening on port 2000"));This will result in an alert being shown when accessing http://localhost:2000. Here's a repo to quickly reproduce the issue: https://github.com/DeX3/react-schemaorg-ssr-xss-poc
There's a potential XSS problem when using this library with server-side-rendering (which is arguably one of the most prominent use-cases to render json-ld):
This will result in an alert being shown when accessing http://localhost:2000. Here's a repo to quickly reproduce the issue: https://github.com/DeX3/react-schemaorg-ssr-xss-poc