Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Safe alternative to dangerouslySetInnerHTML

Tags:

reactjs

I would like to have a dynamic blog on my site (which uses React). Initially, I was going to store the posts in raw HTML in my database and generate the content using dangerouslySetInnerHTML. I am however concerned about the security implications. While my app doesn't have any sensitive data, I'm not well enough versed in XSS to know all the dangers I'd be opening my app up to.

I'm curious if there's a performant, safe way to dynamically load blog pages within my app. Would using https://github.com/odysseyscience/react-router-proxy-loader be useful in this case? Have a folder of blog post JSX separate from the rest of my app and load it using this (admittedly, I'm not sure how react-router-proxy-loader works).

I'm open to suggestions.

like image 709
Kevin Avatar asked Mar 14 '15 01:03

Kevin

People also ask

Should I avoid dangerouslySetInnerHTML?

Dynamically rendering benign HTML code in React requires the use of dangerouslySetInnerHTML . That is not a naming mistake. This property is dangerous, and using it carelessly will create XSS vulnerabilities in your application.

Is it safe to use dangerouslySetInnerHTML?

The Dangers of DangerouslySetInnerHTMLIt is not safe to simply add your HTML code as this is prone to Cross Site Scripting or XSS attacks for short. XSS attack is a type of security vulnerability where attackers inject code client-side to steal information and perform malicious scripts in the app.

What to use instead of innerHTML in React?

According to the official documentation, dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. This means that if in React if you have to set HTML programmatically or from an external source, you would have to use dangerouslySetInnerHTML instead of traditional innerHTML in Javascript.

How do I convert HTML to JSX?

You can use https://magic.reactjs.net/htmltojsx.htm which is an online HTML to JSX compiler. Show activity on this post. You can also use https://transform.tools/html-to-jsx beside https://magic.reactjs.net/htmltojsx.htm as mentioned above. Show activity on this post.

1 Answers

If XSS is your primary concern, you can use DOMPurify to sanitize your HTML before inserting it in the DOM via dangerouslySetInnerHTML. It's just 10K minified. And it works in Node too.

like image 170
Alexandre Kirszenberg Avatar answered Oct 13 '22 21:10

Alexandre Kirszenberg
Sign in to Comment

Related questions

How to configure package.json to run eslint script
Expected corresponding JSX closing tag for input Reactjs
Import JavaScript file and call functions using webpack, ES6, ReactJS
How to change the border color of MUI TextField
Jest, Enzyme: Invariant Violation: You should not use <Route> or withRouter() outside a <Router>
Extending HTML elements in React and TypeScript while preserving props
How do I pass state through React_router?
How do I dynamically set HTML5 data- attributes using react?
Passing props to react-redux container component
Set min/max on TextField type="number"?
onClick works but onDoubleClick is ignored on React component
How can I attach to a stateless component's ref in React?
Is there a way to check if the react component is unmounted?
ERROR in Cannot find module 'babel-core'. using react.js, webpack, and express server
Clear and reset form input fields
expected assignment or function call: no-unused-expressions ReactJS
React Function Components with hooks vs Class Components
What is the quickest way to convert a React app to React Native?
Error : Cannot read property 'map' of undefined
React dev tools - Deactivate "break on warnings"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!