Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does VDOM support injecting a 'script' element? #12

Open
bryanchen-d opened this issue Jun 11, 2020 · 1 comment
Open

Does VDOM support injecting a 'script' element? #12

bryanchen-d opened this issue Jun 11, 2020 · 1 comment

Comments

@bryanchen-d
Copy link
Contributor

Application or Package Used
@nteract/core

I'm evaluating if there is any XSS risks by turning on the VDOM transform, code like

VDOM({
    'tagName': 'script',
    'attributes':{},
    'children': "console.log(\"vdom\");alert(\"vdom\");"
})

would run, however the script is not executed, I am wondering if the content of VDOM object gets sanitized?
@captainsafia
Copy link
Member

Transferring this to nteract/outputs.

The VDOM transform doesn't sanitize outputs. The reason the code isn't executed is because VDOM inserts elements into the UI using React's React.createElement API which inserts the element into React's virtual DOM, which is then copied to the browser's DOM. As a result, the script is never actually executed.

@captainsafia captainsafia transferred this issue from nteract/nteract Jun 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@captainsafia @bryanchen-d