From bbcf4d1eacd70ce4fc25bf06437922c197c908b5 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Sat, 13 Mar 2021 09:45:21 -0500
Subject: [PATCH] Use escapeTextForBrowser to encode dynamic strings

We can now use local dependencies
---
 .../react-dom/src/server/ReactDOMServerFormatConfig.js     | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/packages/react-dom/src/server/ReactDOMServerFormatConfig.js b/packages/react-dom/src/server/ReactDOMServerFormatConfig.js
index 104834ca88ecd..b06196c452a60 100644
--- a/packages/react-dom/src/server/ReactDOMServerFormatConfig.js
+++ b/packages/react-dom/src/server/ReactDOMServerFormatConfig.js
@@ -14,6 +14,7 @@ import {
   convertStringToBuffer,
 } from 'react-server/src/ReactServerStreamConfig';
 
+import escapeTextForBrowser from './escapeTextForBrowser';
 import invariant from 'shared/invariant';
 
 // Per response,
@@ -46,13 +47,11 @@ export function createSuspenseBoundaryID(
 }
 
 function encodeHTMLIDAttribute(value: string): string {
-  // TODO: This needs to be encoded for security purposes.
-  return value;
+  return escapeTextForBrowser(value);
 }
 
 function encodeHTMLTextNode(text: string): string {
-  // TOOD: This needs to be encoded for security purposes.
-  return text;
+  return escapeTextForBrowser(text);
 }
 
 export function pushTextInstance(