Security considerations?

[jeluard]

• http://danlec.com/blog/xss-via-a-spoofed-react-element
• How Much XSS Vulnerability Protection is React Responsible For? facebook/react#3473

[jimfb]

As per facebook/react#3473:

Ultimately this is a server-side bug and NOT a bug in React itself. This issue is about figuring out if there is something we can do to mitigate issues when you have a JSON parsing bug or some server-side issue.

So unless you are accepting arbitrary JSON from the client and sending it back to other clients and then feeding that arbitrary JSON into React, this bug probably doesn't affect you. If you are accepting arbitrary JSON from users and sending it back to other users, you likely have bigger issues.

Having said that, the React team takes any security concerns extraordinarily seriously, and the team is working on potential solutions to mitigate security bugs that might be introduced by insecure server implementations. The additional security checks will likely appear in the next version of React, as per the discussion on this topic in facebook/react#3473

[jeluard]

Thanks for the detailed comment!

hipo doesn't use React but implements a subset of its ideas. I was interested in the linked discussion mainly to check if some related points could be relevant to this project.

[jeluard]

hipo doesn't use innerHTML to set node content and string can't create nodes. This particular security concern does not apply.