Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize unknown attribute names for SSR #13302

Merged
merged 1 commit into from
Aug 1, 2018
Merged

Sanitize unknown attribute names for SSR #13302

merged 1 commit into from
Aug 1, 2018

Conversation

gaearon
Copy link
Collaborator

@gaearon gaearon commented Aug 1, 2018

This is a fix for a minor vulnerability we discovered in the server renderer.
The fix has been cherry-picked to every affected minor release:

  • react-dom@16.0.1 (includes the mitigation)
  • react-dom@16.1.2 (includes the mitigation)
  • react-dom@16.2.1 (includes the mitigation)
  • react-dom@16.3.3 (includes the mitigation)
  • react-dom@16.4.2 (includes the mitigation)

For upgrade convenience, these releases were not cut from master, and only contain this fix.

The fix was coordinated with Vue and Preact.

For more info, read the blog post.

@gaearon gaearon merged commit ff41519 into master Aug 1, 2018
@gaearon gaearon deleted the sanitize-ssr branch August 1, 2018 19:26
@developit
Copy link
Contributor

Thanks for coordinating this, @gaearon!

segoddnja pushed a commit to segoddnja/react that referenced this pull request Aug 1, 2018
azu added a commit to jser/jser.github.io that referenced this pull request Aug 7, 2018
#536)

* [Chromium Blog: Chrome 69 Beta: CSS tricks, and more](https://blog.chromium.org/2018/08/chrome-69-beta-av1-video-decoder-css.html "Chromium Blog: Chrome 69 Beta: CSS tricks, and more")
* [React v16.4.2: Server-side vulnerability fix - React Blog](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html "React v16.4.2: Server-side vulnerability fix - React Blog")
  * [Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react](facebook/react#13302 "Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react")
* [Release 8.3.0 · developit/preact](https://github.com/developit/preact/releases/tag/8.3.0 "Release 8.3.0 · developit/preact")
* [Vue.js で XSS を作り込まないために気を付けること - SSTエンジニアブログ](https://techblog.securesky-tech.com/entry/2018/08/01/110000 "Vue.js で XSS を作り込まないために気を付けること - SSTエンジニアブログ")
* [Fusion.js Documentation](https://fusionjs.com/ "Fusion.js Documentation")
* [Introducing Fusion.js: A Plugin-based Universal Web Framework](https://eng.uber.com/fusionjs/ "Introducing Fusion.js: A Plugin-based Universal Web Framework")
* [Deprecations and removals in Chrome 69  |  Web  |  Google Developers](https://developers.google.com/web/updates/2018/08/chrome-69-deps-rems "Deprecations and removals in Chrome 69  |  Web  |  Google Developers")
* [Chrome Platform Status](https://www.chromestatus.com/features#browsers.chrome.desktop%3D69 "Chrome Platform Status")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants