Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

XSS (or parse error) in `react-error-overlay` with specific coding style

Created by: ccloli

Is this a bug report?

Yes

Can you also reproduce the problem with npm 4.x?

Reproduced on 5.0.3 and 4.6.1

Environment

  1. node -v: v8.1.3
  2. npm -v: 5.0.3 and 4.6.1
  3. yarn --version (if you use Yarn):
  4. npm ls react-scripts (if you haven’t ejected): react-scripts@1.0.10

Then, specify:

  1. Operating system: Microsoft Windows 7 Professional x64 (6.1.7601)
  2. Browser and version (if relevant): Google Chrome 59.0.3071.115 x64 (Stable)

Steps to Reproduce

  1. create-react-app xss-test, then cd xss-test
  2. Copy the files below and paste them to overwrite the files
  3. npm start and open localhost:3000
  4. Click any checkbox that are showing on page
  5. An error dialog will shown, click the checkbox that shown on the source code panel
  6. A dialog says /XSS/ will shown

Expected Behavior

It shouldn't show the checkbox, it should display the source code. image

Actual Behavior

It shows the checkbox and the eval JavaScript of onclick attribute executed after clicked it. image image

Reproducible Demo

https://github.com/ccloli/create-react-app-xss-example