New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize unknown attribute names for SSR #13302

Merged
merged 1 commit into from Aug 1, 2018

Conversation

Projects
None yet
3 participants
@gaearon
Member

gaearon commented Aug 1, 2018

This is a fix for a minor vulnerability we discovered in the server renderer.
The fix has been cherry-picked to every affected minor release:

  • react-dom@16.0.1 (includes the mitigation)
  • react-dom@16.1.2 (includes the mitigation)
  • react-dom@16.2.1 (includes the mitigation)
  • react-dom@16.3.3 (includes the mitigation)
  • react-dom@16.4.2 (includes the mitigation)

For upgrade convenience, these releases were not cut from master, and only contain this fix.

The fix was coordinated with Vue and Preact.

For more info, read the blog post.

@gaearon gaearon merged commit ff41519 into master Aug 1, 2018

2 checks passed

ci/circleci Your tests passed on CircleCI!
Details
coverage/coveralls First build on sanitize-ssr at 90.444%
Details

@gaearon gaearon deleted the sanitize-ssr branch Aug 1, 2018

@developit

This comment has been minimized.

Show comment
Hide comment
@developit

developit Aug 1, 2018

Thanks for coordinating this, @gaearon!

developit commented Aug 1, 2018

Thanks for coordinating this, @gaearon!

segoddnja added a commit to segoddnja/react that referenced this pull request Aug 1, 2018

azu added a commit to jser/jser.github.io that referenced this pull request Aug 7, 2018

2018-08-07のJS: Chrome 69 Beta、React/Vue/PreactのSSR XSSの修正、Preact 8.3.0 (
#536)

* [Chromium Blog: Chrome 69 Beta: CSS tricks, and more](https://blog.chromium.org/2018/08/chrome-69-beta-av1-video-decoder-css.html "Chromium Blog: Chrome 69 Beta: CSS tricks, and more")
* [React v16.4.2: Server-side vulnerability fix - React Blog](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html "React v16.4.2: Server-side vulnerability fix - React Blog")
  * [Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react](facebook/react#13302 "Sanitize unknown attribute names for SSR by gaearon · Pull Request #13302 · facebook/react")
* [Release 8.3.0 · developit/preact](https://github.com/developit/preact/releases/tag/8.3.0 "Release 8.3.0 · developit/preact")
* [Vue.js で XSS を作り込まないために気を付けること - SSTエンジニアブログ](https://techblog.securesky-tech.com/entry/2018/08/01/110000 "Vue.js で XSS を作り込まないために気を付けること - SSTエンジニアブログ")
* [Fusion.js Documentation](https://fusionjs.com/ "Fusion.js Documentation")
* [Introducing Fusion.js: A Plugin-based Universal Web Framework](https://eng.uber.com/fusionjs/ "Introducing Fusion.js: A Plugin-based Universal Web Framework")
* [Deprecations and removals in Chrome 69  |  Web  |  Google Developers](https://developers.google.com/web/updates/2018/08/chrome-69-deps-rems "Deprecations and removals in Chrome 69  |  Web  |  Google Developers")
* [Chrome Platform Status](https://www.chromestatus.com/features#browsers.chrome.desktop%3D69 "Chrome Platform Status")

TejasQ added a commit to TejasQ/react that referenced this pull request Aug 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment