Generate safe javascript url instead of throwing

facebook · Mar 29, 2023 · 2658946 · 2658946
1 parent 666589e
commit 2658946
Show file tree

Hide file tree

Showing 3 changed files with 196 additions and 108 deletions.
diff --git a/packages/react-dom-bindings/src/client/DOMPropertyOperations.js b/packages/react-dom-bindings/src/client/DOMPropertyOperations.js
@@ -17,7 +17,6 @@ import {
 } from '../shared/DOMProperty';
 import sanitizeURL from '../shared/sanitizeURL';
 import {
- disableJavaScriptURLs,
  enableTrustedTypesIntegration,
  enableCustomElementPropertySupport,
  enableFilterEmptyStringAttributesDOM,
@@ -43,15 +42,6 @@ export function getValueForProperty(
  const {propertyName} = propertyInfo;
  return (node: any)[propertyName];
  }
- if (!disableJavaScriptURLs && propertyInfo.sanitizeURL) {
- // If we haven't fully disabled javascript: URLs, and if
- // the hydration is successful of a javascript: URL, we
- // still want to warn on the client.
- if (__DEV__) {
- checkAttributeStringCoercion(expected, name);
- }
- sanitizeURL(expected);
- }
 
  const attributeName = propertyInfo.attributeName;
 
@@ -134,6 +124,11 @@ export function getValueForProperty(
  }
 
  // shouldRemoveAttribute
+ switch (typeof expected) {
+ case 'function':
+ case 'symbol': // eslint-disable-line
+ return value;
+ }
  switch (propertyInfo.type) {
  case BOOLEAN: {
  if (expected) {
@@ -175,6 +170,16 @@ export function getValueForProperty(
  if (__DEV__) {
  checkAttributeStringCoercion(expected, name);
  }
+ if (propertyInfo.sanitizeURL) {
+ // We have already verified this above.
+ // eslint-disable-next-line react-internal/safe-string-coercion
+ if (value === '' + (sanitizeURL(expected): any)) {
+ return expected;
+ }
+ return value;
+ }
+ // We have already verified this above.
+ // eslint-disable-next-line react-internal/safe-string-coercion
  if (value === '' + (expected: any)) {
  return expected;
  }

diff --git a/packages/react-dom-bindings/src/shared/sanitizeURL.js b/packages/react-dom-bindings/src/shared/sanitizeURL.js
@@ -30,9 +30,10 @@ function sanitizeURL<T>(url: T): T | string {
  const stringifiedURL = '' + (url: any);
  if (disableJavaScriptURLs) {
  if (isJavaScriptProtocol.test(stringifiedURL)) {
- throw new Error(
- 'React has blocked a javascript: URL as a security precaution.',
- );
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
  }
  } else if (__DEV__) {
  if (!didWarn && isJavaScriptProtocol.test(stringifiedURL)) {