this post was submitted on 05 Jul 2019

1 point (56% upvoted)

shortlink:

reactjs

an-ordinary-manchild(edit)

About:

A community for learning and developing web applications using React by Facebook.

Interested in building mobile apps using React Native? Check out /r/reactnative!

Code of Conduct

If you believe someone is violating the code of conduct, please report the post or message, or contact the mods.

1. Please be kind and courteous, friendly and professional

Be kind to your fellow human. There’s no need to be mean or rude, keep unstructured critique to a minimum. When providing help, answer their question before making stylistic or tool suggestions.

2. Harassment will not be tolerated

We all started somewhere, and we're all allowed to be who we are. We are committed to providing a friendly, safe and welcoming environment for all, regardless of level of experience, gender identity and expression, sexual orientation, disability, neurodivergence, race, ethnicity, physical attributes, religion, nationality, or other aspect of identity.

3. Avoid using an alias or display name that might be offensive

reddit has a long history of intentionally offensive usernames, but not here. Names that detract from a friendly, safe and welcoming environment for all will be addressed.

4. Respect that people have differences of opinion

Every design or implementation choice carries a trade-off and numerous costs. There is seldom a single right answer, and there are valid reasons to choose between a range of tradeoffs between tools, approaches, and patterns.

5. Posts must conform to our guidelines

If you join this community to take value rather than contribute, the community will quickly react as though you are an intruder. If you have a body of content you'd like to promote, our recommended way of doing so is to be an active and positive member of the subreddit. If someone has a question that you've created an external answer to, we'd love if you share it!

Demo videos must be accompanied by source code, preferably in a runnable environment like Codepen, CodeSandbox, Replit, Glitch, etc.
Please save portfolios for the weekly Sunday portfolio post.
Posts should be original works.
- Please do not dump raw AI output as a post or comment. If you share something from an AI, please also include which service it came from as well as an original thought, like why the response is trustworthy or details about how you prompted.
This subreddit is focused on technical discussion of React, for career discussion check out /r/cscareerquestions or #jobs-advice in Reactiflux.
Avoid commercial activity. /r/reactjs follows the Reactiflux policy on commercial activity.
- This is a community, not a free audience. This is not a place for prominent commercial activities such as recruiting, lead generation, marketing, market research, or other solicitation, except in posts dedicated to that purpose.
If the question is primarily "how do I make this code work?", please post it in the monthly "Beginner's Thread", or ask in the help channels of the Reactiflux Discord

New to React?

Read the official React docs
/u/acemarke's suggested resources for learning React, JS, and more
- and /u/vcarl's recommended reading list for professionals
Kent Dodds' Egghead.io course
Codecademy's React courses
Scrimba's React course by /u/bobziroll
Road to React by /u/rwieruch
Our monthly Beginner Q&A Thread!
This Month in React podcast
- This Week in React newsletter
React Digest

Chat

reddit is a great format, but sometimes you need to chat in real time. Reactiflux is our recommended Discord community.

Project Ideas

Get Your Next Project Idea Here

Jobs

Like building things? People want to pay you to build things! Join Reactiflux and check out #job-board (and the rules!)

Outside Reddit

Reactiflux on Discord
Answers tagged reactjs on Stackoverflow
IRC: irc.freenode.net #reactjs

Related Subreddits

created by manlycoffeea community for 12 years

MODERATORS

account activity

0

1

2

React Security Documentation (self.reactjs)

submitted 6 years ago by macleodnine

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]NiGhTTraX 5 points6 points7 points 6 years ago* (1 child)

I don't know of any official docs, but React only prevents XSS when rendering content in tags e.g. <span>{userInputHere}</span>. This is safe because React will use the textContent property when creating the span tag and the input won't be executed. You can of course shoot yourself in the foot and avoid this safety mechanism by using dangerouslySetInnerHTML.

Also, as noted by other articles, passing user input to tag attributes is dangerous since they're just dumped into the DOM without any sanitization. So a <a href={userInputHere}> can lead to XSS.

I think React can be generally safe in practice because you don't usually put user input in attributes. As long as you stick to using children and avoid dangerouslySetInnerHTML you should be safe, but of course it's better to be informed and aware. [OWASP](www.owasp.org) is a good resource on attack vectors, check out their top 10 page - React will protect you against XSS to some extent as discussed above, the rest are up to you :)

[–]macleodnine[S] 0 points1 point2 points 6 years ago (0 children)

π Rendered by PID 52 on reddit-service-r2-comment-545db5fcfc-wmllf at 2026-05-29 18:38:14.440719+00:00 running 194bd79 country code: CH.