sanitize javascript: urls for <object> tags

[kassens]

sanitize javascript: urls for tags

React 19 added sanitization for javascript: URLs for href properties on various tags. This PR also adds that sanitization for <object> tags as well that Firefox otherwise executes.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
react-compiler-playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 12, 2024 4:34pm

[react-sizebot]

Comparing: f3e09d6...475b518

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.66 kB	6.66 kB	+0.05%	1.82 kB	1.82 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	+0.03%	497.80 kB	497.93 kB	+0.02%	89.24 kB	89.26 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.67 kB	6.67 kB	+0.05%	1.83 kB	1.83 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	+0.03%	502.62 kB	502.75 kB	+0.02%	89.94 kB	89.96 kB
facebook-www/ReactDOM-prod.classic.js	+0.02%	597.04 kB	597.17 kB	+0.02%	105.31 kB	105.33 kB
facebook-www/ReactDOM-prod.modern.js	+0.02%	571.38 kB	571.52 kB	+0.01%	101.25 kB	101.27 kB
test_utils/ReactAllWarnings.js	Deleted	63.50 kB	0.00 kB	Deleted	15.90 kB	0.00 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.43 kB	199.08 kB	+0.47%	36.46 kB	36.63 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.43 kB	199.08 kB	+0.47%	36.46 kB	36.63 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.84%	197.45 kB	199.11 kB	+0.47%	36.48 kB	36.65 kB
oss-stable-rc/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.66 kB	214.42 kB	+0.43%	38.73 kB	38.90 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.66 kB	214.42 kB	+0.43%	38.73 kB	38.90 kB
oss-stable/react-dom/cjs/react-dom-server.browser.production.js	+0.83%	212.73 kB	214.49 kB	+0.43%	38.76 kB	38.93 kB
oss-stable-rc/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.31 kB	202.96 kB	+0.46%	37.51 kB	37.68 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.31 kB	202.96 kB	+0.46%	37.51 kB	37.68 kB
oss-stable/react-dom/cjs/react-dom-server.bun.production.js	+0.82%	201.37 kB	203.03 kB	+0.46%	37.53 kB	37.71 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.87 kB	203.52 kB	+0.46%	38.20 kB	38.37 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.87 kB	203.52 kB	+0.46%	38.20 kB	38.37 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.82%	201.89 kB	203.55 kB	+0.46%	38.22 kB	38.40 kB
oss-stable-rc/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.53 kB	219.29 kB	+0.43%	40.56 kB	40.73 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.53 kB	219.29 kB	+0.43%	40.56 kB	40.73 kB
oss-stable/react-dom/cjs/react-dom-server.edge.production.js	+0.81%	217.60 kB	219.36 kB	+0.43%	40.58 kB	40.76 kB
facebook-www/ReactDOMServer-prod.modern.js	+0.81%	204.90 kB	206.56 kB	+0.46%	37.51 kB	37.68 kB
facebook-www/ReactDOMServer-prod.classic.js	+0.80%	205.56 kB	207.21 kB	+0.46%	37.71 kB	37.88 kB
oss-stable-rc/react-dom/cjs/react-dom-server.node.production.js	+0.80%	213.46 kB	215.15 kB	+0.45%	39.31 kB	39.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.production.js	+0.80%	213.46 kB	215.15 kB	+0.45%	39.31 kB	39.49 kB
oss-stable/react-dom/cjs/react-dom-server.node.production.js	+0.79%	213.52 kB	215.22 kB	+0.45%	39.34 kB	39.51 kB
facebook-www/ReactDOMServerStreaming-prod.modern.js	+0.79%	209.16 kB	210.81 kB	+0.44%	38.94 kB	39.11 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.browser.production.js	+0.78%	211.98 kB	213.64 kB	+0.47%	38.45 kB	38.64 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.node.production.js	+0.76%	216.98 kB	218.63 kB	+0.42%	40.31 kB	40.48 kB
oss-experimental/react-dom/cjs/react-dom-server.bun.production.js	+0.76%	217.53 kB	219.18 kB	+0.44%	39.66 kB	39.83 kB
oss-experimental/react-dom/cjs/react-dom-server.browser.production.js	+0.74%	237.20 kB	238.96 kB	+0.41%	41.67 kB	41.84 kB
oss-experimental/react-dom/cjs/react-dom-server.edge.production.js	+0.73%	242.62 kB	244.38 kB	+0.40%	43.62 kB	43.79 kB
oss-experimental/react-dom/cjs/react-dom-server.node.production.js	+0.71%	238.63 kB	240.33 kB	+0.42%	42.86 kB	43.04 kB
oss-stable-rc/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.37 kB	302.48 kB	+0.51%	59.10 kB	59.40 kB
oss-stable-semver/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.37 kB	302.48 kB	+0.51%	59.10 kB	59.40 kB
oss-stable/react-dom/cjs/react-dom-server.bun.development.js	+0.70%	300.44 kB	302.55 kB	+0.51%	59.13 kB	59.43 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-rc/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.96 kB	341.28 kB	+0.45%	62.21 kB	62.49 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.68%	338.98 kB	341.30 kB	+0.45%	62.24 kB	62.52 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.68%	338.99 kB	341.31 kB	+0.45%	62.24 kB	62.52 kB
oss-stable-rc/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.49 kB	352.89 kB	+0.46%	63.98 kB	64.28 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.49 kB	352.89 kB	+0.46%	63.98 kB	64.28 kB
oss-stable/react-dom/cjs/react-dom-server.browser.development.js	+0.68%	350.56 kB	352.96 kB	+0.46%	64.01 kB	64.31 kB
oss-stable-rc/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	350.99 kB	353.38 kB	+0.46%	64.06 kB	64.35 kB
oss-stable-semver/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	350.99 kB	353.38 kB	+0.46%	64.06 kB	64.35 kB
oss-stable/react-dom/cjs/react-dom-server.edge.development.js	+0.68%	351.06 kB	353.45 kB	+0.46%	64.08 kB	64.38 kB
facebook-www/ReactDOMServerStreaming-dev.modern.js	+0.68%	342.83 kB	345.15 kB	+0.45%	62.36 kB	62.64 kB
oss-stable-rc/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.65 kB	347.97 kB	+0.44%	62.70 kB	62.98 kB
oss-stable-semver/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.65 kB	347.97 kB	+0.44%	62.70 kB	62.98 kB
oss-stable/react-dom/cjs/react-dom-server.node.development.js	+0.67%	345.72 kB	348.04 kB	+0.44%	62.73 kB	63.00 kB
facebook-www/ReactDOMServer-dev.modern.js	+0.66%	350.81 kB	353.13 kB	+0.44%	63.67 kB	63.95 kB
oss-experimental/react-dom/cjs/react-dom-server.bun.development.js	+0.66%	319.86 kB	321.97 kB	+0.49%	61.73 kB	62.04 kB
facebook-www/ReactDOMServer-dev.classic.js	+0.66%	352.88 kB	355.20 kB	+0.44%	64.12 kB	64.40 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.node.development.js	+0.65%	359.77 kB	362.09 kB	+0.42%	64.88 kB	65.16 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.browser.development.js	+0.65%	359.78 kB	362.10 kB	+0.42%	64.88 kB	65.16 kB
oss-experimental/react-dom/cjs/react-dom-server.browser.development.js	+0.63%	382.03 kB	384.42 kB	+0.43%	67.47 kB	67.76 kB
oss-experimental/react-dom/cjs/react-dom-server.edge.development.js	+0.63%	382.52 kB	384.91 kB	+0.42%	67.54 kB	67.82 kB
oss-experimental/react-dom/cjs/react-dom-server.node.development.js	+0.61%	377.52 kB	379.84 kB	+0.41%	66.97 kB	67.24 kB
test_utils/ReactAllWarnings.js	Deleted	63.50 kB	0.00 kB	Deleted	15.90 kB	0.00 kB

Generated by 🚫 dangerJS against 475b518

[kassens]

My open question is if we have preferred behavior of <object data="" />

[sebmarkbage]

What does <object data=""> do in the browser?

• If it does something useful, then we shouldn't error.
• If it loads the current page's URL as an external object, then we should error.

The goal is to not accidentally load current page URL a second time for no good reason.

[sebmarkbage]

Seems like you have some failing tests too.

[kassens]

Tests pass now.

Implemented removing the string removal to match general empty string behavior.

I couldn't repro the behavior of re-requesting the page either with imgs or object tags, maybe I'm missing something or it doesn't show up in the network panel. Had a repro in this sandbox: https://codesandbox.io/p/sandbox/upbeat-hofstadter-dvmlwv?file=%2Findex.html%3A12%2C1

[eps1lon]

I couldn't repro the behavior of re-requesting the page either with imgs or object tags, maybe I'm missing something or it doesn't show up in the network panel.

It seems like Chrome (and possibly other browsers?) are no longer trying to render an image with an empty src attribute. Apparently this is even specced behavior: whatwg/html#3280 (comment)