contrib.react.react_html_parser.react_html_parser

profile photo of returntocorpreturntocorp
Author
116
Download Count*

Untrusted user input in rendering reactHTMLParser can lead to an XSS

Run Locally

Run in CI

Defintion

rules:
  - id: react_html_parser
    metadata:
      cwe: "CWE-079: Improper Neutralization of Input During Web Page Generation
        ('Cross-site Scripting')"
      owasp: A07:2017 - Cross-Site Scripting (XSS)
      category: security
      technology:
        - react
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern-not-inside: |
          ReactHtmlParser($X.sanitize(...))
      - pattern-either:
          - pattern: |
              ReactHtmlParser(...)
      - pattern-not-inside: |
          import ReactHtmlParser from 'react-html-parser' ;
    message: Untrusted user input in rendering reactHTMLParser can lead to an XSS
    severity: ERROR
    languages:
      - javascript
      - typescript

Examples

react_html_parser.js


import ReactHtmlParser from 'react-html-parser';


renderContent() {
    let content = this.props.content;
    if (!content || (typeof content === 'string' && !content.length)) {
        if (this.props.children) {
            return <span>{this.props.children}</span>;
        }
        return null;
    }
    // ruleid:react_html_parser
    return <span>{ReactHtmlParser(content)}</span>;
}