Basically it's possible to inject dirty html:
const striked = '<strike>test</strike>';
console.log(<div>{striked}</div>);
console.log(<div><strike>test</strike></div>);
console.log(<div>{striked}</div>);This is the output:
<div><strike>test</strike></div>
<div><strike>test</strike></div>
<div><strike>test</strike></div>
Expected output:
<div><strike>test</strike></div>
<div><strike>test</strike></div>
<div><strike>test</strike></div>
After rendering <div><strike>test</strike></div>, it caches <strike>test</strike> and doesn't sanitize it anymore. It can be seen live here as well. Just because something was rendered before, it shouldn't mean that it's sanitized.
Basically it's possible to inject dirty html:
This is the output:
Expected output:
After rendering
<div><strike>test</strike></div>, it caches<strike>test</strike>and doesn't sanitize it anymore. It can be seen live here as well. Just because something was rendered before, it shouldn't mean that it's sanitized.