ReactJS.NET 1.5.1 - Security update

April 23, 2015 by Daniel Lo Nigro


I'm happy to announce the release of ReactJS.NET 1.5.1! This is a bug fix release and fixes a potential XSS issue with server-side rendering. JSON.NET does not escape HTML characters in its JSON output by default. As ReactJS.NET uses JSON.NET to output the props of server-side rendered components, a prop that accepts arbitrary user input could potentially contain script tags, allowing for XSS.

Escaping of HTML is now enabled by default. If you are using custom JSON serializer settings, you can enable HTML escaping by setting StringEscapeHandling to StringEscapeHandling.EscapeHtml:

ReactSiteConfiguration.Configuration.SetJsonSerializerSettings(
  new JsonSerializerSettings
  {
    StringEscapeHandling = StringEscapeHandling.EscapeHtml
  }
);

Have fun, and as always, please feel free to send feedback or bug reports on GitHub.

— Daniel

Thanks to Li Huan Jeow for the report.

Comments