Skip to content

1.5.1
Compare
Choose a tag to compare
@Daniel15 Daniel15 released this 24 Apr 05:02
· 794 commits to main since this release
release-1.5.1
2ba00cc

This is a bug fix release and fixes a potential XSS issue with server-side rendering. JSON.NET does not escape HTML characters in its JSON output by default. As ReactJS.NET uses JSON.NET to output the props of server-side rendered components, a prop that accepts arbitrary user input could potentially contain script tags, allowing for XSS.

Escaping of HTML is now enabled by default. If you are using custom JSON serializer settings, you can enable HTML escaping by setting StringEscapeHandling to StringEscapeHandling.EscapeHtml:

ReactSiteConfiguration.Configuration.SetJsonSerializerSettings(
  new JsonSerializerSettings
  {
    StringEscapeHandling = StringEscapeHandling.EscapeHtml
  }
);

Have fun, and as always, please feel free to send feedback or bug reports
on GitHub.

— Daniel

Thanks to Li Huan Jeow for the report.

Assets 2
Loading