feat(core): 限制dangerouslySetInnerHTML API生效的条件，减少XSS攻击面

2024-04-02 10:47:31 +08:00 · 2024-04-02 10:47:31 +08:00 · ebfe1eceb9
parent ec34490202
commit ebfe1eceb9
2 changed files with 43 additions and 0 deletions
--- a/packages/inula/tests/DomTest/Attribute.test.js
+++ b/packages/inula/tests/DomTest/Attribute.test.js
@ -95,4 +95,16 @@ describe('Dom Attribute', () => {
      Inula.render(<div {...emptyStringProps} />, container);
    }).not.toThrow();
  });
  it('dangerouslySetInnerHTML和children同时设置，只渲染children', () => {
    Inula.act(() => {
      Inula.render(
        <div className="root" dangerouslySetInnerHTML={{ __html: '1234' }}>
          123
        </div>,
        container
      );
    });
    expect(container.innerHTML).toBe('<div class="root">123</div>');
  });
 });
--- a/packages/inula/src/dom/validators/ValidateProps.ts
+++ b/packages/inula/src/dom/validators/ValidateProps.ts
@ -17,6 +17,25 @@ import { getPropDetails, PROPERTY_TYPE, PropDetails } from './PropertiesData';
 const INVALID_EVENT_NAME_REGEX = /^on[^A-Z]/;
 const voidTagElements = [
  'area',
  'base',
  'br',
  'col',
  'embed',
  'hr',
  'img',
  'input',
  'keygen',
  'link',
  'meta',
  'param',
  'source',
  'track',
  'wbr',
  'menuitem',
 ];
 // 是内置元素
 export function isNativeElement(tagName: string, props: Record<string, any>) {
  return !tagName.includes('-') && props.is === undefined;
@ -108,6 +127,18 @@ export function validateProps(type, props) {
    throw new Error('style should be a object.');
  }
  // 对于没有children的元素，设置dangerouslySetInnerHTML不生效
  if (voidTagElements.includes(type)) {
    if (props.dangerouslySetInnerHTML != null) {
      delete props.dangerouslySetInnerHTML;
    }
  }
  // dangerouslySetInnerHTML和children同时设置，只渲染children
  if (props.dangerouslySetInnerHTML != null && props.children != null) {
    delete props.dangerouslySetInnerHTML;
  }
  if (isDev) {
    // 校验属性
    const invalidProps = Object.keys(props).filter(key => !isValidProp(type, key, props[key]));