Files
wehub-resource-sync d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 11:55:55 +08:00

6.2 KiB

paths
paths
**/*.tsx
**/*.jsx
**/components/**/*.ts
**/app/**/*.ts
**/pages/**/*.ts

React Security

This file extends typescript/security.md and common/security.md with React specific content.

XSS via dangerouslySetInnerHTML

CRITICAL. The prop name is deliberately scary — treat every usage as a code review halt.

// CRITICAL: unsanitized user input
<div dangerouslySetInnerHTML={{ __html: userBio }} />

// CORRECT options:
// 1. Render as text
<div>{userBio}</div>

// 2. Render parsed markdown via a library that sanitizes
<ReactMarkdown>{userBio}</ReactMarkdown>

// 3. If raw HTML is required, sanitize first with DOMPurify
import DOMPurify from "isomorphic-dompurify";
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userBio) }} />

Audit checklist for every dangerouslySetInnerHTML call:

  • Is the input always under our control? Document the source.
  • If user-derived: is it sanitized at the same call site? (Sanitization at the API boundary is acceptable only if every consumer is verified.)
  • Is the sanitizer config allowlisting tags, not denylisting?

Unsafe URL Schemes

javascript: and data: URLs in href, src, and xlink:href execute arbitrary code.

// CRITICAL: javascript: URL injection
<a href={user.website}>Visit</a>   // if user.website = "javascript:alert(1)"

// CORRECT: validate scheme
function safeUrl(url: string): string | undefined {
  try {
    const parsed = new URL(url);
    if (["http:", "https:", "mailto:"].includes(parsed.protocol)) return url;
  } catch {
    return undefined;
  }
  return undefined;
}
<a href={safeUrl(user.website)}>Visit</a>

React warns about javascript: URLs in href in development mode, but does not block them at runtime. data: URLs and other schemes also slip through. Always validate.

target="_blank" Without rel

<a target="_blank"> without rel="noopener noreferrer" lets the target page access window.opener and run navigation hijacks.

// WRONG
<a href={externalUrl} target="_blank">External</a>

// CORRECT
<a href={externalUrl} target="_blank" rel="noopener noreferrer">External</a>

Modern browsers default to noopener when target="_blank", but do not rely on browser defaults — be explicit.

Server Action Input Validation

Server Actions ("use server") run with the same trust level as a public API endpoint. Validate every input.

"use server";
import { z } from "zod";

const Input = z.object({
  email: z.string().email(),
  age: z.number().int().min(0).max(120),
});

export async function updateUser(_state: unknown, formData: FormData) {
  const parsed = Input.safeParse({
    email: formData.get("email"),
    age: Number(formData.get("age")),
  });
  if (!parsed.success) return { error: parsed.error.flatten() };
  // ...
}
  • Authenticate inside the action — do not trust the client-side route gate
  • Authorize: confirm the current user has permission for the specific record they are mutating
  • Rate limit sensitive actions

Secret Exposure via Env Vars

Prefixed env vars are bundled into the client. Treat them as public.

Framework Public prefix Private
Next.js NEXT_PUBLIC_* All others
Vite VITE_* .env server-side only
Create React App REACT_APP_*, plus NODE_ENV and PUBLIC_URL All others (anything without the REACT_APP_ prefix is server-side only)
Remix process.env access in loader/action only Same
// CRITICAL: secret leaked to client bundle
const apiKey = process.env.NEXT_PUBLIC_STRIPE_SECRET_KEY;

Audit on every PR that touches env vars: would this string in the public bundle be a problem?

Authentication / Authorization

  • Never store sessions in localStorage — accessible to any XSS. Use httpOnly secure cookies.
  • Never trust client-set state to gate sensitive UI. Render-gating in JSX prevents display, not access — the API must enforce.
  • CSRF: cookie-based auth requires CSRF tokens or SameSite=Strict/Lax cookies
  • Use double-submit cookies or origin verification for form actions when not using framework defaults

Content Security Policy (CSP)

Configure server-side. The minimum acceptable CSP for a React app:

default-src 'self';
script-src 'self' 'nonce-{REQUEST_NONCE}';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
  • Avoid unsafe-inline and unsafe-eval in script-src
  • For SSR with inline scripts (Next.js streaming, hydration data), use per-request nonces — both Next.js and Remix support nonce injection
  • style-src 'unsafe-inline' is often unavoidable for CSS-in-JS libraries — document the tradeoff

Prototype Pollution via Object Spread

// WRONG: untrusted JSON spread directly into state
const update = await req.json();
setState({ ...state, ...update });    // attacker controls __proto__

// CORRECT: parse with a schema, or guard keys
const Allowed = z.object({ name: z.string(), email: z.string().email() });
const parsed = Allowed.parse(await req.json());
setState({ ...state, ...parsed });

SSR Template Injection

When using renderToString or renderToPipeableStream:

  • All values rendered inside JSX are escaped by React — safe
  • Values passed to dangerouslySetInnerHTML are NOT escaped — same rules as client
  • Manually constructed HTML wrappers around the React output must be escaped or sanitized — never concatenate user input into the surrounding HTML template

Third-Party Components

  • Audit npm audit before adding any UI library
  • Check that the library does not internally use dangerouslySetInnerHTML on its input (e.g., rich text editors)
  • Pin versions, review changelogs before major upgrades
  • Be wary of components that accept HTML strings as props

Source Map Exposure in Production

Production builds should ship without source maps, or with sourcemaps uploaded to an error tracker (Sentry) and stripped from the public bundle. Public source maps leak internal logic and file structure.

Agent Support

  • Use security-reviewer agent for comprehensive security audits across the codebase
  • Use react-reviewer agent for React-specific patterns and the above rules in active code review