Remove toString of dangerouslySetInnerHTML #17773
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As far as I can tell, the toString call was added here: facebook@caae627#diff-5574f655d491348f422bca600ff6711dR887 It was never really needed. Subsequently when we added Trusted Types, this needed to be changed to a special call but we really should just always let it pass through.
sebmarkbage
force-pushed
the
rmhtmltostring
branch
from
3aaed14 to
9b1d183
Compare
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 9b1d183:
|
sophiebits
approved these changes
Jan 4, 2020
Merged
This was referenced Mar 6, 2020
This was referenced Sep 25, 2024
This was referenced Sep 28, 2024
This was referenced Sep 29, 2024
This was referenced Oct 4, 2024
This was referenced Oct 5, 2024
This was referenced Oct 12, 2024
This was referenced Oct 25, 2024
This was referenced Oct 26, 2024
This was referenced Oct 27, 2024
newkdr
added a commit
to newkdr/vscode-gitlens
that referenced
this pull request
Dec 12, 2024
 <h3>Snyk has created this PR to upgrade react-dom from 16.8.4 to 16.14.0.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **13 versions** ahead of your current version. - The recommended version was released on **4 years ago**. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>react-dom</b></summary> <ul> <li> <b>16.14.0</b> - <a href="https://github.com/facebook/react/releases/tag/v16.14.0">2020-10-14</a></br><h3>React</h3> <ul> <li>Add support for the <a href="https://reactjs.org/blog/2020/09/22/introducing-the-new-jsx-transform.html" rel="nofollow">new JSX transform</a>. (<a href="https://github.com/lunaruan">@ lunaruan</a> in <a href="https://github.com/facebook/react/pull/18299" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/18299/hovercard">#18299</a>)</li> </ul> </li> <li> <b>16.13.1</b> - <a href="https://github.com/facebook/react/releases/tag/v16.13.1">2020-03-19</a></br><h3>React DOM</h3> <ul> <li>Fix bug in legacy mode Suspense where effect clean-up functions are not fired. This only affects users who use Suspense for data fetching in legacy mode, which is not technically supported. (<a href="https://github.com/acdlite">@ acdlite</a> in <a href="https://github.com/facebook/react/pull/18238" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/18238/hovercard">#18238</a>)</li> <li>Revert warning for cross-component updates that happen inside class render lifecycles (<code>componentWillReceiveProps</code>, <code>shouldComponentUpdate</code>, and so on). (<a href="https://github.com/gaearon">@ gaearon</a> in <a href="https://github.com/facebook/react/pull/18330" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/18330/hovercard">#18330</a>)</li> </ul> <h2>Artifacts</h2> <ul> <li>react: <a href="https://unpkg.com/react@16.13.1/umd/" rel="nofollow">https://unpkg.com/react@16.13.1/umd/</a></li> <li>react-art: <a href="https://unpkg.com/react-art@16.13.1/umd/" rel="nofollow">https://unpkg.com/react-art@16.13.1/umd/</a></li> <li>react-dom: <a href="https://unpkg.com/react-dom@16.13.1/umd/" rel="nofollow">https://unpkg.com/react-dom@16.13.1/umd/</a></li> <li>react-is: <a href="https://unpkg.com/react-is@16.13.1/umd/" rel="nofollow">https://unpkg.com/react-is@16.13.1/umd/</a></li> <li>react-test-renderer: <a href="https://unpkg.com/react-test-renderer@16.13.1/umd/" rel="nofollow">https://unpkg.com/react-test-renderer@16.13.1/umd/</a></li> <li>scheduler: <a href="https://unpkg.com/scheduler@0.19.1/umd/" rel="nofollow">https://unpkg.com/scheduler@0.19.1/umd/</a></li> </ul> </li> <li> <b>16.13.0</b> - <a href="https://github.com/facebook/react/releases/tag/v16.13.0">2020-02-26</a></br><h3>React</h3> <ul> <li>Warn when a string ref is used in a manner that's not amenable to a future codemod (<a href="https://github.com/lunaruan">@ lunaruan</a> in <a href="https://github.com/facebook/react/pull/17864" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17864/hovercard">#17864</a>)</li> <li>Deprecate <code>React.createFactory()</code> (<a href="https://github.com/trueadm">@ trueadm</a> in <a href="https://github.com/facebook/react/pull/17878" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17878/hovercard">#17878</a>)</li> </ul> <h3>React DOM</h3> <ul> <li>Warn when changes in <code>style</code> may cause an unexpected collision (<a href="https://github.com/sophiebits">@ sophiebits</a> in <a href="https://github.com/facebook/react/pull/14181" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/14181/hovercard">#14181</a>, <a href="https://github.com/facebook/react/pull/18002" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/18002/hovercard">#18002</a>)</li> <li>Warn when a function component is updated during another component's render phase (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/acdlite/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/acdlite">@ acdlite</a> in <a href="https://github.com/facebook/react/pull/17099" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17099/hovercard">#17099</a>)</li> <li>Deprecate <code>unstable_createPortal</code> (<a href="https://github.com/trueadm">@ trueadm</a> in <a href="https://github.com/facebook/react/pull/17880" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17880/hovercard">#17880</a>)</li> <li>Fix <code>onMouseEnter</code> being fired on disabled buttons (<a href="https://github.com/AlfredoGJ">@ AlfredoGJ</a> in <a href="https://github.com/facebook/react/pull/17675" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17675/hovercard">#17675</a>)</li> <li>Call <code>shouldComponentUpdate</code> twice when developing in <code>StrictMode</code> (<a href="https://github.com/bvaughn">@ bvaughn</a> in <a href="https://github.com/facebook/react/pull/17942" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17942/hovercard">#17942</a>)</li> <li>Add <code>version</code> property to ReactDOM (<a href="https://github.com/ealush">@ ealush</a> in <a href="https://github.com/facebook/react/pull/15780" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/15780/hovercard">#15780</a>)</li> <li>Don't call <code>toString()</code> of <code>dangerouslySetInnerHTML</code> (<a href="https://github.com/sebmarkbage">@ sebmarkbage</a> in <a href="https://github.com/facebook/react/pull/17773" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17773/hovercard">#17773</a>)</li> <li>Show component stacks in more warnings (<a href="https://github.com/gaearon">@ gaearon</a> in <a href="https://github.com/facebook/react/pull/17922" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17922/hovercard">#17922</a>, <a href="https://github.com/facebook/react/pull/17586" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17586/hovercard">#17586</a>)</li> </ul> <h3>Concurrent Mode (Experimental)</h3> <ul> <li>Warn for problematic usages of <code>ReactDOM.createRoot()</code> (<a href="https://github.com/trueadm">@ trueadm</a> in <a href="https://github.com/facebook/react/pull/17937" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17937/hovercard">#17937</a>)</li> <li>Remove <code>ReactDOM.createRoot()</code> callback params and added warnings on usage (<a href="https://github.com/bvaughn">@ bvaughn</a> in <a href="https://github.com/facebook/react/pull/17916" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17916/hovercard">#17916</a>)</li> <li>Don't group Idle/Offscreen work with other work (<a href="https://github.com/sebmarkbage">@ sebmarkbage</a> in <a href="https://github.com/facebook/react/pull/17456" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17456/hovercard">#17456</a>)</li> <li>Adjust <code>SuspenseList</code> CPU bound heuristic (<a href="https://github.com/sebmarkbage">@ sebmarkbage</a> in <a href="https://github.com/facebook/react/pull/17455" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17455/hovercard">#17455</a>)</li> <li>Add missing event plugin priorities (<a href="https://github.com/trueadm">@ trueadm</a> in <a href="https://github.com/facebook/react/pull/17914" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17914/hovercard">#17914</a>)</li> <li>Fix <code>isPending</code> only being true when transitioning from inside an input event (<a href="https://github.com/acdlite">@ acdlite</a> in <a href="https://github.com/facebook/react/pull/17382" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17382/hovercard">#17382</a>)</li> <li>Fix <code>React.memo</code> components dropping updates when interrupted by a higher priority update (<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/acdlite/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/acdlite">@ acdlite</a> in <a href="https://github.com/facebook/react/pull/18091" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/18091/hovercard">#18091</a>)</li> <li>Don't warn when suspending at the wrong priority (<a href="https://github.com/gaearon">@ gaearon</a> in <a href="https://github.com/facebook/react/pull/17971" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17971/hovercard">#17971</a>)</li> <li>Fix a bug with rebasing updates (<a href="https://github.com/acdlite">@ acdlite</a> and <a href="https://github.com/sebmarkbage">@ sebmarkbage</a> in <a href="https://github.com/facebook/react/pull/17560" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17560/hovercard">#17560</a>, <a href="https://github.com/facebook/react/pull/17510" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17510/hovercard">#17510</a>, <a href="https://github.com/facebook/react/pull/17483" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17483/hovercard">#17483</a>, <a href="https://github.com/facebook/react/pull/17480" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17480/hovercard">#17480</a>)</li> </ul> <h2>Artifacts</h2> <ul> <li>react: <a href="https://unpkg.com/react@16.13.0/umd/" rel="nofollow">https://unpkg.com/react@16.13.0/umd/</a></li> <li>react-art: <a href="https://unpkg.com/react-art@16.13.0/umd/" rel="nofollow">https://unpkg.com/react-art@16.13.0/umd/</a></li> <li>react-dom: <a href="https://unpkg.com/react-dom@16.13.0/umd/" rel="nofollow">https://unpkg.com/react-dom@16.13.0/umd/</a></li> <li>react-is: <a href="https://unpkg.com/react-is@16.13.0/umd/" rel="nofollow">https://unpkg.com/react-is@16.13.0/umd/</a></li> <li>react-test-renderer: <a href="https://unpkg.com/react-test-renderer@16.13.0/umd/" rel="nofollow">https://unpkg.com/react-test-renderer@16.13.0/umd/</a></li> <li>scheduler: <a href="https://unpkg.com/scheduler@0.19.0/umd/" rel="nofollow">https://unpkg.com/scheduler@0.19.0/umd/</a></li> </ul> </li> <li> <b>16.12.0</b> - <a href="https://github.com/facebook/react/releases/tag/v16.12.0">2019-11-14</a></br><h3>React DOM</h3> <ul> <li>Fix passive effects (<code>useEffect</code>) not being fired in a multi-root app. (<a href="https://github.com/acdlite">@ acdlite</a> in <a href="https://github.com/facebook/react/pull/17347" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17347/hovercard">#17347</a>)</li> </ul> <h3>React Is</h3> <ul> <li>Fix <code>lazy</code> and <code>memo</code> types considered elements instead of components (<a href="https://github.com/bvaughn">@ bvaughn</a> in <a href="https://github.com/facebook/react/pull/17278" data-hovercard-type="pull_request" data-hovercard-url="/facebook/react/pull/17278/hovercard">#17278</a>)</li> </ul> <h2>Artifacts</h2> <p>• react: <a href="https://unpkg.com/react@16.12.0/umd/" rel="nofollow">https://unpkg.com/react@16.12.0/umd/</a><br> • react-art: <a href="https://unpkg.com/react-art@16.12.0/umd/" rel="nofollow">https://unpkg.com/react-art@16.12.0/umd/</a><br> • react-dom: <a href="https://unpkg.com/react-dom@16.12.0/umd/" rel="nofollow">https://unpkg.com/react-dom@16.12.0/umd/</a><br> • react-is: <a href="https://unpkg.com/react-is@16.12.0/umd/" rel="nofollow">https://unpkg.com/react-is@16.12.0/umd/</a><br> • react-test-renderer: <a href="https://unpkg.com/react-test-renderer@16.12.0/umd/" rel="nofollow">https://unpkg.com/react-test-renderer@16.12.0/umd/</a><br> • scheduler: <a href="https://unpkg.com/scheduler@0.18.0/umd/" rel="nofollow">https://unpkg.com/scheduler@0.18.0/umd/</a></p> </li> <li> <b>16.11.0</b> - 2019-10-22 </li> <li> <b>16.10.2</b> - 2019-10-03 </li> <li> <b>16.10.1</b> - 2019-09-28 </li> <li> <b>16.10.0</b> - 2019-09-27 </li> <li> <b>16.9.0</b> - 2019-08-08 </li> <li> <b>16.9.0-rc.0</b> - 2019-08-05 </li> <li> <b>16.9.0-alpha.0</b> - 2019-04-03 </li> <li> <b>16.8.6</b> - 2019-03-28 </li> <li> <b>16.8.5</b> - 2019-03-22 </li> <li> <b>16.8.4</b> - 2019-03-05 </li> </ul> from <a href="https://github.com/facebook/react/releases">react-dom GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI4NTdmYmVkYy1hZTE3LTQ3ZGYtODhkYy03MTcyMWYxNThjZTkiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6Ijg1N2ZiZWRjLWFlMTctNDdkZi04OGRjLTcxNzIxZjE1OGNlOSJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/newkdr/project/12a8a5f5-3e19-438c-8280-eb8f4ee06d17?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/newkdr/project/12a8a5f5-3e19-438c-8280-eb8f4ee06d17/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/newkdr/project/12a8a5f5-3e19-438c-8280-eb8f4ee06d17/settings/integration?pkg=react-dom&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"react-dom","from":"16.8.4","to":"16.14.0"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"857fbedc-ae17-47df-88dc-71721f158ce9","prPublicId":"857fbedc-ae17-47df-88dc-71721f158ce9","packageManager":"npm","priorityScoreList":[],"projectPublicId":"12a8a5f5-3e19-438c-8280-eb8f4ee06d17","projectUrl":"https://app.snyk.io/org/newkdr/project/12a8a5f5-3e19-438c-8280-eb8f4ee06d17?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":[],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":13,"publishedDate":"2020-10-14T19:38:26.085Z"},"vulns":[]}'
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As far as I can tell, the toString call was added here:
caae627#diff-5574f655d491348f422bca600ff6711dR887
However, we don't toString the HTML in the initial creation. Only updates. It was never really needed.
Subsequently when we added Trusted Types, this needed to be changed to a special call but we really should just always let it pass through.
Interestingly we should probably always let values pass through except for
when we need to do something special with the string which is rare.