HTML Entity encoding in Script Tags about preact-render-to-string HOT 4 OPEN

UPDATE

I just found this also affects internal CSS style tags.

<style>
#settings {
  &amp; .content {
    quotes: &quot;&quot; &quot;&quot;;
    &amp; .icon {}
  }  
}
</style>

from preact-render-to-string.

Yes, this affects any text content in HTML, regardless of the element used. We basically have two choices:

• Remove the restriction for style and script which will lead to people opening themselves and their users up to XSS injections attacks. This would lead to folks saying that "Preact is insecure"
• Keep the current way which means it's a little more tedious, but also forces the developer to acknowledge that this is a potentially dangerous path and that they need to ensure proper security practices on their own.

For completely static strings like in your examples this would be perfectly fine. But from Preact's point of view we don't know how the string was created.

let username = getUserNameFromRequest();

<script>
  // Without escaping this line is a XSS vulnerability
  let username = {username};
  console.log(username)
</script>

Since Preact isn't tied to a compiler and only sees the final string, it cannot make any assumptions that it's secure to use. For this reason the current behavior exists. This behavior could be changed in meta-frameworks which typically use compilers to inspect the original source code. But in Preact itself this is something very risky to change in regards to security of users. It's very unlikely that we will change that in Preact.

from preact-render-to-string.

Yeah, I pretty much expected that was the case.

Honestly, the entire reason for opening this issue was, as a new user to preact, it didn't occur to me that this might even be a problem, and documentation is scarce enough that it took an entire day just to figure out why my code wasn't working.

Hopefully, just by making this post any others that run into the same issue can save themselves some time.

At the very least documentation on dangerouslySetInnerHTML should be improved. The only official documentation (for preact) I could find was here. It took a combination of looking at the source code (to even know it was an option), StackOverflow posts, and React's documentation to figure out the right syntax to make it work.

As for making the code pretty again, it's easy enough to write a wrapper function.

Also, since the reason for this post is to save some time for others, I should probably add an example of using dangerouslySetInnerHTML. I just forgot.

NOTE: this example is using both HTM and a did-it-myself CSS (strips comments, minifies, returns string) tagged template literals.

const STYLES = css`
  #settings {
    & .content {
      quotes: "" "";
      & .icon {}
    }  
  }
`;

// Must use an object as { __html: 'content to inject' }
const innerHTMLCSS = { __html: STYLES };

function injectCSS () {
  return html`
    <style dangerouslySetInnerHTML=${ innerHTMLCSS } ></style>
  `;
}

const IMPORT_MAP = {
  imports: {
    lazyload: "./lazyload.js"
  }
};

function injectImportMap () {
  return html`
    <script
     type="importmap"
     dangerouslySetInnerHTML=${ { __html: JSON.stringify(IMPORT_MAP) } }
    ></script>
  `;
}

export class Head extends Component {
  render (_props: unknown) {
    return html`
      <head>
        <meta charset="UTF-8" />

        ${injectImportMap()}
        <script src="./core/index.ts" type="module"></script>

        ${injectCSS()}
      </head>
    `;
  }
}

from preact-render-to-string.