handle internal stylesheets

[sicks]

Fixes #35

[sicks]

Actually, style tags in the body are still broken if they contain quotes. Digging deeper!

[sicks]

Not sure what's going on here. The test passes, but as seen in this fiddle or when you test this on a real page, the quotes get turned into entities.

[ssorallen]

Could you use dangerouslySetInnerHTML={{__html: JSON.stringify(text)}} instead of writing to its innerText? Here's a fiddle with the change: https://jsfiddle.net/ucgLqtbu/1/

This opens a security hole though if you ever let user-created content be written inside a <style> tag.

[sicks]

That works, but is what I had before considered safe? I would think one of the more common use cases of an internal stylesheet would be for custom end-user styles.

[Daniel15]

This opens a security hole though if you ever let user-created content be written inside a <style> tag.

Do you have an example, or is it just a theoretical hole? :)

[sicks]

Do you have an example, or is it just a theoretical hole? :)

That's in reference to react's docs on dangerouslySetInnerHTML but I just did a quick test and <script> tags nested inside <style> tags don't get run, so I don't think it's a danger here.

[ssorallen]

Do you have an example, or is it just a theoretical hole? :)

It's a theoretical hole that I have not proven to be real yet. Since @sickslives tested <script> tags inside <style> tags, it at least seems not blatantly bad.