Safe alternative to dangerouslySetInnerHTML

reactjs

If XSS is your primary concern, you can use DOMPurify to sanitize your HTML before inserting it in the DOM via dangerouslySetInnerHTML. It's just 10K minified. And it works in Node too.


The article How to prevent XSS attacks when using dangerouslySetInnerHTML in React suggests to use jam3/no-sanitizer-with-danger eslint rule to check that the content passed to dangerouslySetInnerHTML is wrapped in this sanitizer function

Example of valid code is 

const sanitizer = dompurify.sanitize;
return <div dangerouslySetInnerHTML={{__html: sanitizer(title)}} />; // Good

It also describes 3 sanitizer libraries:
DOMPurify
Xss.
xss-filters.


https://facebook.github.io/react/tips/dangerously-set-inner-html.html

"The prop name dangerouslySetInnerHTML is intentionally chosen to be frightening. ..."

"After fully understanding the security ramifications and properly sanitizing the data..."

I figure, if you trust your own CMS/Server (and not receiving from a 3rd party), which has sanitized the data (this step is also done), then you can insert using dangerouslySetInnerHTML.

As Morhaus said, maybe use DOMPurify as it (bonus) probably handles this unfortunate bit: "so the HTML provided must be well-formed (ie., pass XML validation)." I suspect some content using the non-XML version of HTML5 might otherwise be an issue. (Note: I haven't used it myself yet, since i'm new like you.)

Related

What is difference between MediatorLiveData and MutableLiveData in MVVM
Default member values best practice
Strange iframe added into body tags called `rufous-sandbox`
What is OncePerRequestFilter?
Redis set vs hash
How to handle failure in constructor in C++?
Distinction between typeclasses MonadPlus, Alternative, and Monoid?
str performance in python
Groovy map method of collections
Trying to understand what Travis CI does and when it should be used
Is there any reason to use a synchronous XMLHttpRequest?
Is there a way to see git diff from origin/master using Visual Studio Code?