CODEWITHSUNDEEP
javascripthtmlreactjs
Levi007
Levi007

Reputation: 335

set innerHtml from a sanitized html is still dangerous?

There is a replacement for innerHtml in react: dangerouslySetInnerHTML.

Its name scares me.

In the React documents I read that:

In general, setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.

But I sanitized my html with dompurify. Does this completely protect me from XSS attacks?

Upvotes: 2

Views: 1510

Answers (2)

T.J. Crowder
T.J. Crowder

Reputation: 1074495

Its name scares me.

It's supposed to. :-)

But I sanitized my html with dompurify. Does this completely protect me from XSS attacks?

It claims to:

DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string (unless configured otherwise) with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness.

Whether you believe the claim is really your call to make. That said, sanitizing HTML is a well-studied problem so it's certainly possible to do. I make no claims for that particular library, which I haven't used or audited.

Upvotes: 3

CertainPerformance
CertainPerformance

Reputation: 370819

But I sanitized my html with dompurify. Does this completely protect me from XSS attacks?

Likely yes, but it's not 100% guaranteed. If DOMPurify doesn't have bugs that will let XSS through, setting innerHTML or dangerouslySetInnerHTML with its results will be safe. DOMPurify is open-source and relatively popular, so if it did have such vulnerabilities, they would probably have been seen by now.

But, like with everything humans do, mistakes and coincidences that result in vulnerabilities not being seen are still possible.

Upvotes: 3

Related Questions