Merge pull request #10 from google/ssr-xss-fix

Eyas · web-flow · commit 1c3aa76b17ae · 2020-03-17T10:06:23.000-04:00
Use a Safe JSON-LD replacer
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -18,7 +18,7 @@
     "@types/react": "^16.7.22",
     "react": "^15.4.1",
     "schema-dts": ">=0.4.0",
-    "typescript": ">=3.1.6"
+    "typescript": "^3.8.3"
   },
   "dependencies": {},
   "peerDependencies": {
diff --git a/src/json-ld.tsx b/src/json-ld.tsx
@@ -1,5 +1,5 @@
 /**
- * Copyright 2019 Google LLC
+ * Copyright 2020 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -44,8 +44,58 @@ export class JsonLd<T extends Thing> extends React.Component<{
     return (
       <script
         type="application/ld+json"
-        dangerouslySetInnerHTML={{ __html: JSON.stringify(this.props.item) }}
+        dangerouslySetInnerHTML={{
+          __html: JSON.stringify(this.props.item, safeJsonLdReplacer)
+        }}
       />
     );
   }
 }
+
+type JsonValueScalar = string | boolean | number;
+type JsonValue =
+  | JsonValueScalar
+  | Array<JsonValue>
+  | { [key: string]: JsonValue };
+type JsonReplacer = (_: string, value: JsonValue) => JsonValue | undefined;
+
+/**
+ * A replacer for JSON.stringify to strip JSON-LD of illegal HTML entities
+ * per https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements
+ */
+const safeJsonLdReplacer: JsonReplacer = (() => {
+  // Replace per https://www.w3.org/TR/json-ld11/#restrictions-for-contents-of-json-ld-script-elements
+  // Solution from https://stackoverflow.com/a/5499821/864313
+  const entities = Object.freeze({
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&apos;"
+  });
+  const replace = (t: string): string =>
+    entities[t as keyof typeof entities] || t;
+
+  return (_: string, value: JsonValue): JsonValue | undefined => {
+    switch (typeof value) {
+      case "object":
+        return value; // JSON.stringify will recursively call replacer.
+      case "number":
+      case "boolean":
+      case "bigint":
+        return value; // These values are not risky.
+      case "string":
+        return value.replace(/[&<>'"]/g, replace);
+      default: {
+        // We shouldn't expect other types.
+        isNever(value);
+
+        // JSON.stringify will remove this element.
+        return undefined;
+      }
+    }
+  };
+})();
+
+// Utility: Assert never
+function isNever(_: never): void {}
