Dangerously Set innerHTML

Dangersouly Set innerHTML Back

Improper use of the innerHTML can open you up to a cross-site scripting (XSS) attack.

React's design philosophy is that it should be "easy" to make things safe, and developers should explicitly state their intent when performing "unsafe" operations. The prop name dangerouslySetInnerHTML is intentionally chosen to be frightening, and the prop value (an object instead of a string) can be used to indicate sanitized(淨化的) data.

After fully understanding the security ramifications(後果) and properly sanitizing the data, create a new object containing only the key __html and your sanitized data as the value. Here is an example using the JSX syntax:

var MyComponent = React.createClass({
    createMarkup: function () {
        return { __html: 'First &middot; Second' };
    },

    render: function () {
        return (
            <div dangerouslySetInnerHTML={createMarkup()} ></div>
        );
    }
});

ReactDOM.render(
    <MyComponent />,
    document.getElementById('content')
);

Empty Comments

As the plugin is integrated with a code management system like GitLab or GitHub, you may have to auth with your account before leaving comments around this article.

Notice: This plugin has used Cookie to store your token with an expiration.

Aleen^®

More than a coder, more than a designer

modified at 2018-07-23 14:47:13

20 issues reported

#35 [思] Handlebars 模板应该如何进行预处理2019-01-31 13:42:05Inspiration!

#32 [集] A collection of confusing problems met when developing JavaScript under IE2022-01-11 14:03:30Tasks!

#30 [思] 当需要传递多个不定参数时，该如何设计 JavaScript 函数？2017-05-29 09:42:07Inspiration!

#29 [歸納] 304 Status Code 下的头部信息2018-03-19 12:25:21Communication!Summary!

#28 [歸納] 你以为 JavaScript 没数据结构么？2018-03-19 12:25:04Communication!Summary!

#27 [歸納] JavaScript 之高性能2019-09-20 13:56:28Communication!Summary!

#26 Microtasks? Macrotasks?2017-02-26 18:05:36Communication!