Array arguments aren't escaped #10
Comments
|
Hi @aqueenan, Yes, that's by design as it allows for nested interpolations. Ideally, you would pass every element of the array through the // ❌ Danger
var names = ["Some", "Name", "/><script>alert('xss')</script>"];
var string = html`
<ul>
${names}
</ul>
`;
// "<ul>SomeName/><script>alert('xss')</script></ul>"
// ❌ Danger
var names = ["Some", "Name", "/><script>alert('xss')</script>"];
var string = html`
<ul>
${names.map((name) => `
<li>Hello, ${name}!</li>
`)}
</ul>
`;
// "<ul><li>Hello, Some!</li><li>Hello, Name!</li><li>Hello, /><script>alert('xss')</script>!</li></ul>"
// ✅ Safe
var names = ["Some", "Name", "/><script>alert('xss')</script>"];
var string = html`
<ul>
${names.map((name) => html`
<li>Hello, ${name}!</li>
`)}
</ul>
`;
// "<ul><li>Hello, Some!</li><li>Hello, Name!</li><li>Hello, /><script>alert('xss')</script>!</li></ul>"If we were to escape array elements, then you wouldn't be able to have nested interpolations. // ❌ This wouldn't work if we escaped array elements
var names = ["Some", "Name", "/><script>alert('xss')</script>"];
var string = html`
<ul>
${names.map((name) => `
<li>Hello, ${name}!</li>
`)}
</ul>
`;
// "<ul><li>Hello, Some!</li><li>Hello, Name!</li><li>Hello, /><script>alert('xss')</script>!</li></ul>"Ultimately, what the |
|
Proposal: Advantages:
Disadvantage: It’s a breaking change. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you pass in an array argument, the elements of the array are joined, but the result isn't escaped, so there is an opportunity for script injection.
The text was updated successfully, but these errors were encountered: