I am working on an isomorphic SPA in React, which accepts user input and uses Alt.js to manage state. When the user initially downloads the application, the server will generate and maintain an HTML file that resets the initial state in the DOM, and the client side will download it and upload it to the alt storage.
Unfortunately, this is ... a kind of security hole. Here are some of the (very abbreviated) code.
// server-side rendering of the component
var html = "<!DOCTYPE html>" +
ReactDOMServer.renderToString(HTMLComponent({ snapshot: alt.flush() }))
res.status(200).send(html)
// actual component
var Html = React.createClass({
<div id="snapshot" dangerouslySetInnerHTML={{__html: this.props.snapshot}} />
)}
// client loads initial state
alt.bootstrap($('#snapshot').html())
Now you can cringe.
Since I literally just show JSON as HTML, any insecure content that might find it in json (e.g. { name : '<script>whatever</script>' }) will just start.
Question
, (, { name : '>>>'}, <<<).
. ?
<script type="application/json"></script> script. , , (, { name : '</script><script>nastyjs</script>'}) . , React , React.
- , - "-", - . , , React , , .