MagicBell
notification.content does not get sanitised on client #58
-
|
Hi we are trying to prevent xss stored in the notifications, we use the react NotificationList component, in the docs it says the NotificationComponent does prevent Xss but we still see html being rendered, eg. if we store a click here element it will render the button with the onclick event. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @DavideArgellati , As the notification content comes from a safe source, namely your server, we do not sanitise the In the past, that has been different, but we believe that the flexibility to add javascript - from a controlled source - out-weights the benefit of sanitising every message. If you need to sanitise the messages because they're user generated, then you'd need to do this on your side, preferably on your server at the moment you create the notification. Alternatively, you can provide a custom Sorry for the mis direction in the readme. I've fixed that, and clarified the current status as per above. |
Beta Was this translation helpful? Give feedback.
-
|
yes makes sense thank you for clarifying |
Beta Was this translation helpful? Give feedback.
Hi @DavideArgellati ,
As the notification content comes from a safe source, namely your server, we do not sanitise the
notification.contentin our react sdk. We simply render the HTML that you've sent to us. If we were to sanitise, you'd lose the functionality of adding javascript code to your notifications.In the past, that has been different, but we believe that the flexibility to add javascript - from a controlled source - out-weights the benefit of sanitising every message. If you need to sanitise the messages because they're user generated, then you'd need to do this on your side, preferably on your server at the moment you create the notification.
Alternatively, you can provide a c…