sanitize javascript: urls for <object> tags #29808

kassens · 2024-06-07T20:32:12Z

sanitize javascript: urls for tags

React 19 added sanitization for javascript: URLs for href properties on various tags. This PR also adds that sanitization for <object> tags as well that Firefox otherwise executes.

vercel · 2024-06-07T20:32:16Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
react-compiler-playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 12, 2024 4:34pm

react-sizebot · 2024-06-07T20:35:58Z

Comparing: f3e09d6...475b518

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.66 kB	6.66 kB	+0.05%	1.82 kB	1.82 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	+0.03%	497.80 kB	497.93 kB	+0.02%	89.24 kB	89.26 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.67 kB	6.67 kB	+0.05%	1.83 kB	1.83 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	+0.03%	502.62 kB	502.75 kB	+0.02%	89.94 kB	89.96 kB
facebook-www/ReactDOM-prod.classic.js	+0.02%	597.04 kB	597.17 kB	+0.02%	105.31 kB	105.33 kB
facebook-www/ReactDOM-prod.modern.js	+0.02%	571.38 kB	571.52 kB	+0.01%	101.25 kB	101.27 kB
test_utils/ReactAllWarnings.js	Deleted	63.50 kB	0.00 kB	Deleted	15.90 kB	0.00 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.43 kB	199.08 kB	+0.47%	36.46 kB	36.63 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.43 kB	199.08 kB	+0.47%	36.46 kB	36.63 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.45 kB	199.11 kB	+0.47%	36.48 kB	36.65 kB
oss-stable-rc/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.66 kB	214.42 kB	+0.43%	38.73 kB	38.90 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.66 kB	214.42 kB	+0.43%	38.73 kB	38.90 kB
oss-stable/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.73 kB	214.49 kB	+0.43%	38.76 kB	38.93 kB
oss-stable-rc/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.31 kB	202.96 kB	+0.46%	37.51 kB	37.68 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.31 kB	202.96 kB	+0.46%	37.51 kB	37.68 kB
oss-stable/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.37 kB	203.03 kB	+0.46%	37.53 kB	37.71 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.87 kB	203.52 kB	+0.46%	38.20 kB	38.37 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.87 kB	203.52 kB	+0.46%	38.20 kB	38.37 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.89 kB	203.55 kB	+0.46%	38.22 kB	38.40 kB
oss-stable-rc/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.53 kB	219.29 kB	+0.43%	40.56 kB	40.73 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.53 kB	219.29 kB	+0.43%	40.56 kB	40.73 kB
oss-stable/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.60 kB	219.36 kB	+0.43%	40.58 kB	40.76 kB
facebook-www/ReactDOMServer-prod.modern.js	+0.81%	204.90 kB	206.56 kB	+0.46%	37.51 kB	37.68 kB
facebook-www/ReactDOMServer-prod.classic.js	+0.80%	205.56 kB	207.21 kB	+0.46%	37.71 kB	37.88 kB
oss-stable-rc/react-dom/cjs/react-dom-server.node.production.js	+0.80%	213.46 kB	215.15 kB	+0.45%	39.31 kB	39.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.production.js	+0.80%	213.46 kB	215.15 kB	+0.45%	39.31 kB	39.49 kB
oss-stable/react-dom/cjs/react-dom-server.node.production.js	+0.79%	213.52 kB	215.22 kB	+0.45%	39.34 kB	39.51 kB
facebook-www/ReactDOMServerStreaming-prod.modern.js	+0.79%	209.16 kB	210.81 kB	+0.44%	38.94 kB	39.11 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.78%	211.98 kB	213.64 kB	+0.47%	38.45 kB	38.64 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.76%	216.98 kB	218.63 kB	+0.42%	40.31 kB	40.48 kB
oss-experimental/react-dom/cjs/react-dom-server.bun.production.js	+0.76%	217.53 kB	219.18 kB	+0.44%	39.66 kB	39.83 kB
oss-experimental/react-dom/cjs/react-dom-server.browser.production.js	+0.74%	237.20 kB	238.96 kB	+0.41%	41.67 kB	41.84 kB
oss-experimental/react-dom/cjs/react-dom-server.edge.production.js	+0.73%	242.62 kB	244.38 kB	+0.40%	43.62 kB	43.79 kB
oss-experimental/react-dom/cjs/react-dom-server.node.production.js	+0.71%	238.63 kB	240.33 kB	+0.42%	42.86 kB	43.04 kB
oss-stable-rc/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.37 kB	302.48 kB	+0.51%	59.10 kB	59.40 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.37 kB	302.48 kB	+0.51%	59.10 kB	59.40 kB
oss-stable/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.44 kB	302.55 kB	+0.51%	59.13 kB	59.43 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.98 kB	341.30 kB	+0.45%	62.24 kB	62.52 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.99 kB	341.31 kB	+0.45%	62.24 kB	62.52 kB
oss-stable-rc/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.49 kB	352.89 kB	+0.46%	63.98 kB	64.28 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.49 kB	352.89 kB	+0.46%	63.98 kB	64.28 kB
oss-stable/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.56 kB	352.96 kB	+0.46%	64.01 kB	64.31 kB
oss-stable-rc/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	350.99 kB	353.38 kB	+0.46%	64.06 kB	64.35 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	350.99 kB	353.38 kB	+0.46%	64.06 kB	64.35 kB
oss-stable/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	351.06 kB	353.45 kB	+0.46%	64.08 kB	64.38 kB
facebook-www/ReactDOMServerStreaming-dev.modern.js	+0.68%	342.83 kB	345.15 kB	+0.45%	62.36 kB	62.64 kB
oss-stable-rc/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.65 kB	347.97 kB	+0.44%	62.70 kB	62.98 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.65 kB	347.97 kB	+0.44%	62.70 kB	62.98 kB
oss-stable/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.72 kB	348.04 kB	+0.44%	62.73 kB	63.00 kB
facebook-www/ReactDOMServer-dev.modern.js	+0.66%	350.81 kB	353.13 kB	+0.44%	63.67 kB	63.95 kB
oss-experimental/react-dom/cjs/react-dom-server.bun.development.js	+0.66%	319.86 kB	321.97 kB	+0.49%	61.73 kB	62.04 kB
facebook-www/ReactDOMServer-dev.classic.js	+0.66%	352.88 kB	355.20 kB	+0.44%	64.12 kB	64.40 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.65%	359.77 kB	362.09 kB	+0.42%	64.88 kB	65.16 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.65%	359.78 kB	362.10 kB	+0.42%	64.88 kB	65.16 kB
oss-experimental/react-dom/cjs/react-dom-server.browser.development.js	+0.63%	382.03 kB	384.42 kB	+0.43%	67.47 kB	67.76 kB
oss-experimental/react-dom/cjs/react-dom-server.edge.development.js	+0.63%	382.52 kB	384.91 kB	+0.42%	67.54 kB	67.82 kB
oss-experimental/react-dom/cjs/react-dom-server.node.development.js	+0.61%	377.52 kB	379.84 kB	+0.41%	66.97 kB	67.24 kB
test_utils/ReactAllWarnings.js	Deleted	63.50 kB	0.00 kB	Deleted	15.90 kB	0.00 kB

Generated by 🚫 dangerJS against 475b518

packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js

kassens · 2024-06-10T16:53:34Z

My open question is if we have preferred behavior of <object data="" />

sebmarkbage · 2024-06-10T19:54:26Z

What does <object data=""> do in the browser?

If it does something useful, then we shouldn't error.
If it loads the current page's URL as an external object, then we should error.

The goal is to not accidentally load current page URL a second time for no good reason.

sebmarkbage · 2024-06-11T19:07:28Z

Seems like you have some failing tests too.

React 19 added sanitization for `javascript:` URLs for `href` properties on various tags. This PR also adds that sanitization for `<object>` tags as well that Firefox otherwise executes.

kassens · 2024-06-12T18:14:20Z

Tests pass now.

Implemented removing the string removal to match general empty string behavior.

I couldn't repro the behavior of re-requesting the page either with imgs or object tags, maybe I'm missing something or it doesn't show up in the network panel. Had a repro in this sandbox: https://codesandbox.io/p/sandbox/upbeat-hofstadter-dvmlwv?file=%2Findex.html%3A12%2C1

eps1lon · 2024-06-12T18:21:55Z

I couldn't repro the behavior of re-requesting the page either with imgs or object tags, maybe I'm missing something or it doesn't show up in the network panel.

It seems like Chrome (and possibly other browsers?) are no longer trying to render an image with an empty src attribute. Apparently this is even specced behavior: whatwg/html#3280 (comment)

sanitize javascript: urls for <object> tags React 19 added sanitization for `javascript:` URLs for `href` properties on various tags. This PR also adds that sanitization for `<object>` tags as well that Firefox otherwise executes. DiffTrain build for [f0e8164](f0e8164)

facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Jun 7, 2024

vercel bot deployed to Preview June 7, 2024 20:34 View deployment

sebmarkbage reviewed Jun 7, 2024

View reviewed changes

packages/react-dom-bindings/src/server/ReactFizzConfigDOM.js Outdated Show resolved Hide resolved

kassens force-pushed the pr29808 branch from 5f0b7e7 to fe98f43 Compare June 10, 2024 15:44

vercel bot deployed to Preview June 10, 2024 15:50 View deployment

kassens force-pushed the pr29808 branch from fe98f43 to 3889dde Compare June 10, 2024 16:52

vercel bot deployed to Preview June 10, 2024 16:55 View deployment

kassens force-pushed the pr29808 branch from 3889dde to 052d3a9 Compare June 10, 2024 19:49

vercel bot deployed to Preview June 10, 2024 19:54 View deployment

kassens force-pushed the pr29808 branch from 052d3a9 to ab8a0a6 Compare June 12, 2024 15:43

vercel bot deployed to Preview June 12, 2024 15:46 View deployment

sanitize javascript: urls for <object> tags

475b518

React 19 added sanitization for `javascript:` URLs for `href` properties on various tags. This PR also adds that sanitization for `<object>` tags as well that Firefox otherwise executes.

kassens force-pushed the pr29808 branch from ab8a0a6 to 475b518 Compare June 12, 2024 16:32

vercel bot deployed to Preview June 12, 2024 16:34 View deployment

kassens requested a review from sebmarkbage June 12, 2024 20:19

sebmarkbage approved these changes Jun 14, 2024

View reviewed changes

kassens merged commit f0e8164 into facebook:main Jun 14, 2024
44 checks passed

kassens deleted the pr29808 branch June 14, 2024 17:17

eps1lon mentioned this pull request Jul 16, 2024

Update React from dfd30974ab-20240613 to 01172397-20240716 vercel/next.js#67810

Closed

This was referenced Jul 25, 2024

Update React from 6230622a1a-20240610 to 76002254-20240724 vercel/next.js#68149

Merged

Update React from 6230622a1a-20240610 to 3208e73e-20240730 vercel/next.js#68330

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sanitize javascript: urls for <object> tags #29808

sanitize javascript: urls for <object> tags #29808

kassens commented Jun 7, 2024 •

edited

Loading

vercel bot commented Jun 7, 2024 •

edited

Loading

react-sizebot commented Jun 7, 2024 •

edited

Loading

kassens commented Jun 10, 2024

sebmarkbage commented Jun 10, 2024

sebmarkbage commented Jun 11, 2024

kassens commented Jun 12, 2024

eps1lon commented Jun 12, 2024

sanitize javascript: urls for <object> tags #29808

sanitize javascript: urls for <object> tags #29808

Conversation

kassens commented Jun 7, 2024 • edited Loading

vercel bot commented Jun 7, 2024 • edited Loading

react-sizebot commented Jun 7, 2024 • edited Loading

Critical size changes

Significant size changes

kassens commented Jun 10, 2024

sebmarkbage commented Jun 10, 2024

sebmarkbage commented Jun 11, 2024

kassens commented Jun 12, 2024

eps1lon commented Jun 12, 2024

kassens commented Jun 7, 2024 •

edited

Loading

vercel bot commented Jun 7, 2024 •

edited

Loading

react-sizebot commented Jun 7, 2024 •

edited

Loading