[Breaking] Remove disableJavaScriptURLs #28615

rickhanlonii · 2024-03-22T16:03:00Z

Overview

This has landed, so we can remove the flag

Changelog

This change blocks using javascript URLs such as:

<a href="javascript:notfine">p0wned</a>

We previously announced dropping support for this via a warning:

A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead.

react-sizebot · 2024-03-22T16:08:36Z

Comparing: 6708115...236181f

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js	+0.16%	176.84 kB	177.12 kB	+0.25%	54.92 kB	55.06 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js	=	173.27 kB	173.27 kB	=	54.04 kB	54.04 kB
facebook-www/ReactDOM-prod.classic.js	=	594.30 kB	594.30 kB	=	104.45 kB	104.45 kB
facebook-www/ReactDOM-prod.modern.js	=	577.56 kB	577.56 kB	=	101.48 kB	101.48 kB
test_utils/ReactAllWarnings.js	Deleted	66.55 kB	0.00 kB	Deleted	16.29 kB	0.00 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.production.min.js	+0.43%	80.01 kB	80.36 kB	+0.43%	24.36 kB	24.47 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.production.min.js	+0.43%	80.03 kB	80.38 kB	+0.43%	24.39 kB	24.49 kB
oss-stable-semver/react-dom/umd/react-dom-server-legacy.browser.production.min.js	+0.43%	80.09 kB	80.43 kB	+0.46%	24.75 kB	24.86 kB
oss-stable/react-dom/umd/react-dom-server-legacy.browser.production.min.js	+0.43%	80.11 kB	80.45 kB	+0.45%	24.78 kB	24.89 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.production.min.js	+0.41%	82.53 kB	82.87 kB	+0.43%	25.05 kB	25.16 kB
oss-stable/react-dom/cjs/react-dom-server.bun.production.min.js	+0.41%	82.56 kB	82.90 kB	+0.41%	25.08 kB	25.19 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.production.min.js	+0.40%	85.55 kB	85.90 kB	+0.33%	26.28 kB	26.36 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.production.min.js	+0.40%	85.58 kB	85.92 kB	+0.32%	26.30 kB	26.39 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.production.min.js	+0.40%	80.95 kB	81.28 kB	+0.44%	25.20 kB	25.31 kB
oss-stable/react-dom/cjs/react-dom-server.browser.production.min.js	+0.40%	80.98 kB	81.30 kB	+0.44%	25.23 kB	25.34 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.production.min.js	+0.40%	84.09 kB	84.42 kB	+0.40%	25.99 kB	26.09 kB
oss-stable/react-dom/cjs/react-dom-server.node.production.min.js	+0.40%	84.12 kB	84.45 kB	+0.39%	26.01 kB	26.12 kB
oss-stable-semver/react-dom/umd/react-dom-server.browser.production.min.js	+0.39%	81.02 kB	81.34 kB	+0.40%	25.49 kB	25.59 kB
oss-stable/react-dom/umd/react-dom-server.browser.production.min.js	+0.39%	81.05 kB	81.37 kB	+0.40%	25.52 kB	25.62 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.production.min.js	+0.38%	85.97 kB	86.29 kB	+0.35%	26.85 kB	26.94 kB
oss-stable/react-dom/cjs/react-dom-server.edge.production.min.js	+0.38%	85.99 kB	86.32 kB	+0.34%	26.88 kB	26.97 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.production.js	+0.34%	318.88 kB	319.98 kB	+0.56%	69.61 kB	70.00 kB
oss-stable/react-dom/cjs/react-dom-server.bun.production.js	+0.34%	318.90 kB	320.00 kB	+0.55%	69.64 kB	70.03 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.production.js	+0.34%	320.44 kB	321.54 kB	+0.56%	70.40 kB	70.80 kB
oss-stable/react-dom/cjs/react-dom-server.browser.production.js	+0.34%	320.46 kB	321.56 kB	+0.56%	70.43 kB	70.83 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.34%	320.95 kB	322.05 kB	+0.57%	70.22 kB	70.62 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.34%	320.98 kB	322.08 kB	+0.57%	70.24 kB	70.64 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.production.js	+0.34%	323.02 kB	324.12 kB	+0.57%	70.42 kB	70.82 kB
oss-stable/react-dom/cjs/react-dom-server.node.production.js	+0.34%	323.04 kB	324.14 kB	+0.57%	70.45 kB	70.85 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.production.js	+0.34%	324.64 kB	325.74 kB	+0.55%	71.69 kB	72.09 kB
oss-stable/react-dom/cjs/react-dom-server.edge.production.js	+0.34%	324.67 kB	325.76 kB	+0.55%	71.72 kB	72.12 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.34%	326.84 kB	327.94 kB	+0.54%	71.95 kB	72.34 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.34%	326.87 kB	327.97 kB	+0.54%	71.97 kB	72.36 kB
test_utils/ReactAllWarnings.js	Deleted	66.55 kB	0.00 kB	Deleted	16.29 kB	0.00 kB

Generated by 🚫 dangerJS against 236181f

## Overview This has landed, so we can remove the flag ## Changelog This change blocks using javascript URLs such as: ```html <a href="javascript:notfine">p0wned</a> ``` We previously announced dropping support for this via a warning: > A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead. DiffTrain build for [9f8daa6](9f8daa6)

## Overview This has landed, so we can remove the flag ## Changelog This change blocks using javascript URLs such as: ```html <a href="javascript:notfine">p0wned</a> ``` We previously announced dropping support for this via a warning: > A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead.

facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Mar 22, 2024

rickhanlonii requested review from sebmarkbage and kassens March 22, 2024 16:05

kassens approved these changes Mar 22, 2024

View reviewed changes

[Breaking] Remove disableJavaScriptURLs

236181f

rickhanlonii force-pushed the rh/js-urls-rm branch from ca4f4fe to 236181f Compare March 22, 2024 16:10

kassens added the React 19 label Mar 22, 2024

rickhanlonii mentioned this pull request Mar 22, 2024

Move flags to experimental #28151

Closed

rickhanlonii merged commit 9f8daa6 into facebook:main Mar 27, 2024
38 checks passed

eps1lon mentioned this pull request Mar 27, 2024

Remove orphaned disableJavaScriptURLs reference #28660

Merged

This was referenced Apr 24, 2024

Update React from c3048aab4 to cb151849e1 vercel/next.js#64994

Closed

Support React 19 in App and Pages router vercel/next.js#65058

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Breaking] Remove disableJavaScriptURLs #28615

[Breaking] Remove disableJavaScriptURLs #28615

rickhanlonii commented Mar 22, 2024

react-sizebot commented Mar 22, 2024 •

edited

Loading

[Breaking] Remove disableJavaScriptURLs #28615

[Breaking] Remove disableJavaScriptURLs #28615

Conversation

rickhanlonii commented Mar 22, 2024

Overview

Changelog

react-sizebot commented Mar 22, 2024 • edited Loading

Critical size changes

Significant size changes

react-sizebot commented Mar 22, 2024 •

edited

Loading