draft-js icon indicating copy to clipboard operation
draft-js copied to clipboard

Published 20 hours ago verified publisher icon facebookarchive

Need an example that shows how to *safely* display rich text created by draftjs

Open rajaraodv opened this issue 7 years ago • 5 comments

If we use draftjs to create rich text, we also need to display it somewhere. But the problem is how do we ensure that the data entered by the user and sent to the server via Draft.js is actually safe from XSS? I'd love to see an example that shows how Facebook ensure this.

rajaraodv avatar Aug 25 '16 21:08 rajaraodv

fixed typo in the title

rajaraodv avatar Aug 25 '16 21:08 rajaraodv

Hi, I suppose you can something like this http://htmlpurifier.org on server side.

lkazberova avatar Sep 01 '16 07:09 lkazberova

Save the ContentState to your server, it's just a JSON object and (unless you parse it in an unsafe way) it doesn't pose an XSS risk. You can use something like redraft to render on the server, or one of the renders on awesome-draft-js which are available in many languages.

grrowl avatar Sep 29 '16 05:09 grrowl

you can use something like CSP to resolve he problem.

dreamcog avatar Dec 22 '16 18:12 dreamcog

I have the same question. it is safe to save the draft-js objects on the server side without validation?

miguelangelorodrigues avatar Jan 17 '22 17:01 miguelangelorodrigues