XSS vulnerability when using SSR

[romandecker]

There's a potential XSS problem when using this library with server-side-rendering (which is arguably one of the most prominent use-cases to render json-ld):

const React = require("react");
const express = require("express");
const ReactDOMServer = require("react-dom/server");
const { JsonLd } = require("react-schemaorg");

const dangerous = "</script><script>alert('xss')</script>";

express()
  .get("/", (req, res) =>
    res.send(
      ReactDOMServer.renderToString(
        <div>
          <p>It's ok here: {dangerous}</p>
          <p>
            But not here: <JsonLd item={{ name: dangerous }} />
          </p>
        </div>
      )
    )
  )
  .listen(2000, () => console.log("Listening on port 2000"));

This will result in an alert being shown when accessing http://localhost:2000. Here's a repo to quickly reproduce the issue: https://github.com/DeX3/react-schemaorg-ssr-xss-poc

[Eyas]

Nice! Thanks for the report. Indeed we'll want the item set to only be a valid JSON object.

[Eyas]

Oh I misread, I thought you were setting the whole item to a string with "</script>" but I just realized you're setting just the 'name' property.

[Eyas]

This should be released later today.