XSS prevention: rendering unescaped HTML `useHeadRaw`
Closed this issue · 2 comments
Problem
The only way to render child DOM node content is with children
which sets the textContent
of an element.
Users want a way to set the innerHTML
of an element, related: #84, #51
They also want to render props without escaping, related: #59, #46
There are some security implications here, if we support this and users are filling useHead
directly from an external source, then it's possible that they would be open to XSS.
Proposed Solution
To mitigate against this while still providing a nice DX, it may be required to create a new function useHeadRaw
, which would mark all input as raw
, meaning it won't be sanitised.
We can also introduce useHeadRaw
specific attributes, such as on
for htmlAttr
and bodyAttr
, allowing a user to provide events to be ran, related #47
This is released in 0.9.x