Description
Do you want to request a feature or report a bug? Bug
What is the current behavior?
React apps use a version of serialize-javascript that creates this warning github.com/yahoo/serialize-javascript/.../advisories/GHSA-h9rv-jmmf-4pgx.
An updated version ^2.1.1 was just released to fix this issue.
Impact
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions.
This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.
If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.
Patches
This was patched in v2.1.1.
Reproduction steps
npx create-react-app testing-latest-react(React version 16.12.0)
What is the expected behavior?
Which versions of React, and which browser / OS are affected by this issue? Did this work in previous versions of React?
This security advisory was just created 5 days ago. I don't know what older react versions are affected.