JS-0440 · Avoid using dangerous JSX properties

Avoid using dangerous JSX properties JS-0440

Security

Major

5 months ago — 5 months old

react a03 sans top 25 owasp top 10 cwe-937

Dangerous property 'dangerouslySetInnerHTML' found

app/javascript/mastodon/features/status/components/card.js

177      <div
178        ref={this.setRef}
179        className='status-card__image status-card-video'
180        dangerouslySetInnerHTML={content}181        style={{ height }}
182      />
183    );

Dangerous property 'dangerouslySetInnerHTML' found

app/javascript/mastodon/features/account_timeline/components/moved_note.js

35      <div className='account__moved-note'>
36        <div className='account__moved-note__message'>
37          <div className='account__moved-note__icon-wrapper'><Icon id='suitcase' className='account__moved-note__icon' fixedWidth /></div>
38          <FormattedMessage id='account.moved_to' defaultMessage='{name} has moved to:' values={{ name: <bdi><strong dangerouslySetInnerHTML={displayNameHtml} /></bdi> }} />39        </div>
40
41        <a href={to.get('url')} onClick={this.handleAccountClick} className='detailed-status__display-name'>

Dangerous property 'dangerouslySetInnerHTML' found

app/javascript/mastodon/components/status_content.js

245    } else {
246      return (
247        <div className={classNames} ref={this.setRef} tabIndex='0' onMouseEnter={this.handleMouseEnter} onMouseLeave={this.handleMouseLeave}>
248          <div className='status__content__text status__content__text--visible translate' dangerouslySetInnerHTML={content} />249
250          {!!status.get('poll') && <PollContainer pollId={status.get('poll')} />}
251

Dangerous property 'dangerouslySetInnerHTML' found

app/javascript/mastodon/components/status_content.js

229    } else if (this.props.onClick) {
230      const output = [
231        <div className={classNames} ref={this.setRef} tabIndex='0' onMouseDown={this.handleMouseDown} onMouseUp={this.handleMouseUp} key='status-content' onMouseEnter={this.handleMouseEnter} onMouseLeave={this.handleMouseLeave}>
232          <div className='status__content__text status__content__text--visible translate' dangerouslySetInnerHTML={content} />233
234          {!!status.get('poll') && <PollContainer pollId={status.get('poll')} />}
235

Dangerous property 'dangerouslySetInnerHTML' found

app/javascript/mastodon/components/status_content.js

219
220          {mentionsPlaceholder}
221
222          <div tabIndex={!hidden ? 0 : null} className={`status__content__text ${!hidden ? 'status__content__text--visible' : ''} translate`} dangerouslySetInnerHTML={content} />223
224          {!hidden && !!status.get('poll') && <PollContainer pollId={status.get('poll')} />}
225

Description

Dangerous properties in React are those whose behavior is known to be a common source of application vulnerabilities. The properties names clearly indicate they are dangerous and should be avoided unless great care is taken.

dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack. So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it’s dangerous.

If you want to have dynamic HTML content that is not possible to achieve using regular React code, add a skipcq comment to prevent DeepSource from flagging this issue, along with an explanation.

Bad Practice

import React from 'react';

const Hello = <div dangerouslySetInnerHTML={{ __html: "Hello World" }}></div>;

magicstone-dev / ecko

Bad Practice

Recommended

References