🔒 fix: remove dangerouslySetInnerHTML from JSON-LD script tag#52
Conversation
This commit removes the use of `dangerouslySetInnerHTML` in the JSON-LD script tag on the landing page. In modern React, passing the stringified JSON as a child to the script tag is a safe and supported alternative that avoids security warnings and potential XSS vectors if the data were to become dynamic. Added a unit test `src/app/__tests__/page.test.tsx` to ensure that the JSON-LD metadata is correctly rendered in the script tag. Testing performed: - Unit tests: `pnpm test` (All passed) - E2E tests: `pnpm test:e2e` (All passed) - Typecheck: `pnpm typecheck` (Passed) - Lint: `pnpm lint` (Passed) - Build: `pnpm build` (Passed)
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…sly-set-inner-html-1136408213545760962 # Conflicts: # src/app/__tests__/page.test.tsx
amrabed
deleted the
fix/security-dangerously-set-inner-html-1136408213545760962
branch
1 participant
🎯 What: The vulnerability fixed
Removed the use of
dangerouslySetInnerHTMLin the<script type="application/ld+json">tag withinsrc/app/page.tsx.While the JSON-LD data is currently static,
dangerouslySetInnerHTMLis a common source of security warnings and can lead to Cross-Site Scripting (XSS) vulnerabilities if dynamic or unsanitized data is later introduced into the metadata.🛡️ Solution: How the fix addresses the vulnerability
Replaced
dangerouslySetInnerHTMLwith standard React children. Modern React (16+) correctly handles string children in script and style tags by rendering them raw, which is exactly what is needed for valid JSON-LD metadata, while satisfying security best practices and linter rules.A new unit test was added to
src/app/__tests__/page.test.tsxto verify the JSON-LD rendering logic.PR created automatically by Jules for task 1136408213545760962 started by @amrabed