Support for React 16

[svenkatreddy]

Now that React 16 is released, looking at support for react 16 with express react views is important. Also, React 16 now provide two additional methods for node server

renderToNodeStream()
renderToStaticNodeStream()

[zpao]

You did the first part of this (backwards compatible support) in #106 and I just shipped that in 0.10.3.

Let's do the rest in a new version (0.11) that supports only 16+ and probably shift to using streaming. We can also switch to babel-env and do fewer code transformations, which hopefully speeds things up a bit too.

[svenkatreddy]

@zpao Thank you for taking time & looking into PR, merging into master. I know lot of people needed this. Yes i think babel-preset-env would be good next step. (active PR #115) after that streaming would be great.

[eastcoastcoder]

There was recently a post on the React blog about a vulnerability with server rendered apps.

The exploit deals with html passed as props then rendered with a renderToString method. Express-react-views does this and there is a large comment block about it here. (From at least a year ago)

https://github.com/reactjs/express-react-views/blob/master/examples/dynamic/views/Html.js

The vulnerability itself was actually discovered at the beginning of this month.

https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html

Could this library be updated for React/ReactDOM 16.2.1 (at a minimum)? Or does the call to the replace function in Html.js do enough to avoid this exploit?

[zpao]

There are fixes in each 16.x release, so I don't feel the need to set a new minimum version in the peer deps. Otherwise, there's not really anything we can nor should do. This library doesn't install a version of React, so we're not directly vulnerable.