Thanks for filing a bug! To save time, if you're having trouble using the library, please check off the items you have tried. If you are just asking a question, skip right to the bottom.
Please verify these steps before filing an issue, and check them off as you go
- [ ✔️] The relevant native JavascriptEngineSwitcher library packages are installed (such as
JavaScriptEngineSwitcher.V8.Native.win-x64)
- [✔️ ] The VC++ 2017 runtime is installed
- [ ✔️] The value of
SetUseReact and SetUseBabel is correct in ReactConfig.cs or Startup.cs
- [ ✔️] I've looked at the sample projects in this repo to verify that my app is configured correctly
I'm using these library versions:
ReactJS.NET: 5.1.2JavaScriptEngineSwitcher: ChakraCore 3.3.0react and react-dom: (N/A if using bundled react, or version number): ^16.9.0webpack: (N/A if using bundled react) ^4.39.1node: (N/A if using bundled react): 12.14.1
Runtime environment:
- OS: (Mac, Windows, Linux flavor. Include 32-bit/64-bit and version)
Windows
- .NET Framework or .NET Core Version:
.NET Core 3.1
Steps to reproduce
On older versions of internet explorer (IE11 below), it seems as though some characters in the url don't get encoded before sending a request to the server, specifically in this case the single quotation character ('). On other browsers (Chrome), the quotation character get's encoded before the server receives the request. Note this only happens on first initial load and/or if Javascript is disabled completely.
e.g
IE 11 Below
/?keyword=String Wit'h Single Quote
Chrome
/?keyword=String%20Wit%27h%20Single%20Quote
When using React Router, because of how the location is getting written in ReactRouterComponent and because the single quotation does not get encoded, it breaks the returned Javascript initialiser string (see line 83) and a 500 happens on the server.
https://github.com/reactjs/React.NET/blob/master/src/React.Router/ReactRouterComponent.cs#L83
This can be recreated by following the Quick start steps, open Internet Explorer 11 below and inputting a url like:
http://localhost:9457/comments?test=ttt'ttt
Potentially this also opens up a possible vulnerability maybe? Some quicks tests on IE with JS disabled, we can change the props of /comments -> initialComments by altering this url e.g:
http://localhost:9457/comments?test=tttt'},{initialComments:[{"author":{"name":"Matt","githubUsername":"mattywong"},"text":"hello world"}]},{a:'
Or alternatively display a completely different page altogether:
http://localhost:9457/comments?test=tttt'},{location:'/react-jss'},{a:'
Not too sure what's the best way to handle this. On our end (we're using an older version of React.NET), we're modifying the query string and replacing the single quote with the encoded value
...
before:
request.Path.ToString() + request.QueryString;
after:
request.Path.ToString() + request.QueryString.ToString()?.Replace("'", "%27");
...
We also looked at perhaps using a different type of encoding:
see (http://www.secretgeek.net/uri_enconding)
Though not too sure exactly the implications of above as it looks like we might get a double encoding if the request comes from Chrome or other browsers other than IE?
Thanks for filing a bug! To save time, if you're having trouble using the library, please check off the items you have tried. If you are just asking a question, skip right to the bottom.
Please verify these steps before filing an issue, and check them off as you go
JavaScriptEngineSwitcher.V8.Native.win-x64)SetUseReactandSetUseBabelis correct inReactConfig.csorStartup.csI'm using these library versions:
ReactJS.NET: 5.1.2JavaScriptEngineSwitcher: ChakraCore 3.3.0reactandreact-dom: (N/A if using bundled react, or version number): ^16.9.0webpack: (N/A if using bundled react) ^4.39.1node: (N/A if using bundled react): 12.14.1Runtime environment:
Windows
.NET Core 3.1
Steps to reproduce
On older versions of internet explorer (IE11 below), it seems as though some characters in the url don't get encoded before sending a request to the server, specifically in this case the single quotation character ('). On other browsers (Chrome), the quotation character get's encoded before the server receives the request. Note this only happens on first initial load and/or if Javascript is disabled completely.
e.g
IE 11 Below
/?keyword=String Wit'h Single Quote
Chrome
/?keyword=String%20Wit%27h%20Single%20Quote
When using React Router, because of how the location is getting written in ReactRouterComponent and because the single quotation does not get encoded, it breaks the returned Javascript initialiser string (see line 83) and a 500 happens on the server.
https://github.com/reactjs/React.NET/blob/master/src/React.Router/ReactRouterComponent.cs#L83
This can be recreated by following the Quick start steps, open Internet Explorer 11 below and inputting a url like:
http://localhost:9457/comments?test=ttt'ttt
Potentially this also opens up a possible vulnerability maybe? Some quicks tests on IE with JS disabled, we can change the props of /comments -> initialComments by altering this url e.g:
http://localhost:9457/comments?test=tttt'},{initialComments:[{"author":{"name":"Matt","githubUsername":"mattywong"},"text":"hello world"}]},{a:'
Or alternatively display a completely different page altogether:
http://localhost:9457/comments?test=tttt'},{location:'/react-jss'},{a:'
Not too sure what's the best way to handle this. On our end (we're using an older version of React.NET), we're modifying the query string and replacing the single quote with the encoded value
We also looked at perhaps using a different type of encoding:
see (http://www.secretgeek.net/uri_enconding)
Though not too sure exactly the implications of above as it looks like we might get a double encoding if the request comes from Chrome or other browsers other than IE?