5

Is there an example of misuse of dangerouslySetInnerHTML in ReactJS?

Everytime I look this up, it's just someone waving their hand and saying "cross site scripting."

I've seen dangerouslySetInnerHTML used to load CSS files with a css loading npm module:

import {stylesheet, classNames} from '../static/css/styles.css'
<Head><style dangerouslySetInnerHTML={{__html: stylesheet}} /></Head>

And I'm contemplating using dangerouslySetInnerHTML for some script tags for social media share buttons that have been causing my team trouble.

Code examples and explanations of how one would go about hacking a page with XSS would be highly appreciated!

Improve this question
4
  • 1
    <script dangerouslySetInnerHTML={someTextSubmittedByAUser}></script> Commented Jun 16, 2017 at 16:01
  • 1
    Simple, all you need is a < in the string you are assigning to dangerouslySetInnerHTML Commented Jun 16, 2017 at 16:01
  • 2
    Same way as any other rendering into the DOM; it's not unique to React. Commented Jun 16, 2017 at 16:03
  • 1
    As Dave said, this is a generic security threat, not specific to React. The OWASP has a superb cheat sheet on things you should avoid doing and how to mitigate the effects : owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet Commented Jun 16, 2017 at 16:55

1 Answer 1

Reset to default
16 
<span dangerouslySetInnerHTML={someTextSubmittedByAUser}></span>

Imagine if you had a comment section on your page and someone submitted a comment with:

<script>while(1){}</script>

and you just passed that as the inner HTML to some node. Now anyone who hits a page which loads that comment will have their tab lock up.

There are far more nefarious things people can do. Copying your cookies and send them to a remote server, for example.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.