fusion-cli icon indicating copy to clipboard operation
fusion-cli copied to clipboard
verified publisher icon fusionjs

No html escape for developer error

Open slonoed opened this issue 7 years ago • 0 comments

Error message and stack are inserted into a page when server-side rendering error occurs in dev mode.

Type of issue

Bug (maybe minor)

Current behavior

Add throw new Error('<script>alert(1)<script>') into Root compoentnt. Reload page: browser shows red page with error. Script tag inserted as is. By default CSP doesn't allow scripts, so it is not executed.

Fusion code

Expected behavior

HTML tags are escaped.

Your environment

  • fusion-cli version: 1.13.1

slonoed avatar Dec 21 '18 20:12 slonoed