Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Added documentation about potential XSS in router.push #71645

Merged
merged 4 commits into from
Oct 30, 2024
Merged

Added documentation about potential XSS in router.push #71645

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3f60b40
Added documentation about potential XSS in router.push
aickin Oct 22, 2024
18feb4a
Added documentation about XSS vulnerability to router.replace
aickin Oct 23, 2024
1024026
Response to code review. Pulled note out into the "Good to know" sect…
aickin Oct 30, 2024
8f0c479
Merge branch 'canary' into add-router-push-doc
aickin Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/02-app/02-api-reference/04-functions/use-router.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export default function Page() {

> **Good to know**:
>
> - You must not send untrusted or unsanitized URLs to `router.push` or `router.replace`, as this can open your site to cross-site scripting (XSS) vulnerabilities. For example, `javascript:` URLs sent to `router.push` or `router.replace` will be executed in the context of your page.
> - The `<Link>` component automatically prefetch routes as they become visible in the viewport.
> - `refresh()` could re-produce the same result if fetch requests are cached. Other Dynamic APIs like `cookies` and `headers` could also change the response.

Expand Down
Loading