-
Notifications
You must be signed in to change notification settings - Fork 47.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop syncing value attribute for controlled inputs #11896
Comments
I think we should really try and make this happen, many of these bugs are intractable. Do any other frameworks try and keep them in sync? It seems like something React does out of a sense that it wouldn't be too hard for some benefit (which isn't the case it's hard).
I don't think we've been able to verify that this is the case? even so tho i'd say that's the extensions's problem (which they should fix). I'll admit tho that stance is only tenable if there isn't a big problem with extensions do this. The form.reset case seems to be the most compelling for keeping the behavior, but as a strike against it, folks should probably not be using form.reset with controlled components, are their compelling reasons for that? (I've done a lot of work with forms in React and never used form reset with controlled components so IDK) |
If you are using controlled components, that means the state is kept somewhere, such as your form controller component. If you do want to be able to use
EDIT: looks like I did confuse |
I think the original justification for that was that a lot of people felt that mismatch between value attribute and property was counter-intuitive. By that time many people learned React before the DOM APIs and weren’t aware of the distinction. So it “felt wrong” to them that the attribute in the browser DevTools (looks like HTML!) doesn’t match the “attribute” they see in JSX (looks like HTML too!) I agree this was a poor justification in hindsight. We probably should’ve solved this by educating users instead (e.g. through documentation and blog posts). Unfortunately now that we’ve “fixed” this it’s likely more people rely on this behavior now. But ultimately I agree we should give up on this and change it back. |
I think we could do some neat stuff here. If the value attribute is not synchronized, we could allow controlled inputs to both control
It's possible I've forgotten already, but I feel like, every time this comes up, no-one is able to answer this question. I'd really love to nail this one down.
This is nice, but I think it is unique to React. I'd be okay with dropping this and conforming to the way standard HTML manages the value property/attribute natively. It's definitely simpler. |
If I get it right, #10150 is an implementation. I'll close it as stale but reference this issue. |
Oof. Should we send out a minor release that removes syncing of password inputs? |
This is something that's been brought up before as a concern, and it's a good argument in favor of removing attribute syncing (added to the list).
It's potentially dangerous behavior, but I believe it's still expected behavior regardless. I'm not sure it's worth releasing a breaking change in a minor release. If anything, it's a good incentive to upgrade to the next major release that removes attribute syncing, assuming we agree to do so. |
Relevant PoC exploit (relies on syncing) now making the rounds: |
I wonder how much of this is over-focus on one particular vector when there are others similar ones such as I don’t really have a good sense of how much worse it is with password fields. However the use cases are also much more limited so it wouldn’t hurt that bad to do it for password fields in a minor if we’re going to do it for other things later. |
I can get behind that. I think all defaultValue assignment pathways pass through here: It'd be pretty simple to add a case for passwords. |
I think things like this are just part and parcel with the web platform like: https://github.com/maxchehab/CSS-Keylogging But i do think that syncing value is breaking expectations for folks more so than it's an attack vector. |
I put up a demonstration site to easily see this in action: https://no-csp-css-keylogger.badsite.io/ In my very high-level GitHub searches, it seems that there are many thousands of repositories that sync value on password fields, let alone all the other fields. |
In the interim, might it be worthwhile to mention in the documentation: https://reactjs.org/docs/forms.html#controlled-components That it can be dangerous to sync |
Hello All, This is Erez from Checkmarx. Please correct me if I'm wrong, but I understand from this thread that a solution to this issue (and related vulnerability) is not expected in the near future. So this is a heads-up that we will add the detection in one of the coming releases. I totally agree with @april that a clear warning in the documentation will be very beneficial to the users. |
Changing this can potentially be breaking so it's not clear to me what is better. |
How about moving towards this in a graduated manner? For example:
Or something along those lines. You could take it as fast or as slow as possible (and that might be more steps than necessary). Given how many sites I've seen on GitHub with this pattern, it seems reasonable likely that it will break things like tools that check for password complexity, etc. |
We generally don't use global runtime feature flags like this because they break component ecosystem. |
I can send out a PR to do this by mid-day Monday. Mechanically it's pretty simple. |
Missed my own deadline! Just to give an update: I have this working client-side. The complex part actually turns out to be how to handle server-side rendering. I'm trying to figure out the best place to put the password exception and make sure it doesn't impact hydration diffing. |
Sent a PR out here: I think the approach could use a little refinement, but I believe it covers all of the edge cases:
|
Does #13526 replace this? |
Opening this as a follow up to some quick discussions in #11881. Syncing the
value
attribute has been a consistent source of bugs for us, and the benefits of doing so seem minimal. There's some previous discussion on the topic in #7359 and in other issues, I can't remember right now 😄This would be a breaking change, so it would have to be done in a major release.
Reasons to keep syncing
form.reset()
from putting controlled form inputs into a weird statevalue
attribute in some cases (not sure which)Reasons to stop syncing
react-dom
in a non-trivial wayWhat do we think? Are these reasons good enough to keep syncing the
value
attribute? Are there other more critical reasons we should keep doing so?cc @nhunzaker @jquense @gaearon
The text was updated successfully, but these errors were encountered: