40

I am using ReactJS do develop a simple chat application. Could someone help me to sanitize the input . There is only one input text box to send chat messages. How to sanitize it?. 

<input type="text"
              className="chat"
              value={this.state.name}
            />

Based on the documentations HTML escapes html by default. Is it enough?. Do I need to add any other sanitization methods. If yes, please let me know how to do that?.

Improve this question
3
  • value={sanitize(this.state.name)} ? Commented Apr 24, 2017 at 9:45
  • @NguyenThanh can I just give value={sanitize(this.state.name)}, I am getting sanitize not defined error. Do we really need to sanitize?. Would the ReactJS automatically do that for us. Commented Apr 24, 2017 at 10:18
  • React also prevents xss in urls. stackoverflow.com/questions/59840919 Commented Sep 9 at 3:38

2 Answers 2

Reset to default
63

It's sanitized by default, you don't need a sanitization method unless you are using dangerouslySetInnerHTML which is not the case.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Are there any documentation on this?.
facebook.github.io/react/docs/… "By default, React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that you can never inject anything that's not explicitly written in your application. Everything is converted to a string before being rendered. This helps prevent XSS (cross-site-scripting) attacks."
@SunnyPatel that would be outside the React DOM so it would need to be sanitized. But do that directly in the backend, never trust what comes from the frontend
9

JSX expressions {} automatically take care of encoding HTML before rendering, which means even if u don't sanitise your input your webpage is XSS safe.

Please refer to this DOC in react site: jsx-prevents-injection-attacks

Note: If you want your user to allow typing in HTML.. then you need input Sanitisation and you have to use dangerouslySetInnerHTML as @dgrijuela mentioned in the above post.

Improve this answer

2 Comments

JSX is just a grammar extension to javascript. There is nothing about the JSX spec which mandates sanitization.
From your link: "By default, React DOM escapes any values embedded in JSX before rendering them". I read this to mean react is escaping the values, NOT JSX.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.