This repository has been archived by the owner on May 17, 2019. It is now read-only.
No html escape for developer error #654
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Error message and stack are inserted into a page when server-side rendering error occurs in dev mode.
Type of issue
Bug (maybe minor)
Current behavior
Add
throw new Error('<script>alert(1)<script>')into Root compoentnt. Reload page: browser shows red page with error. Script tag inserted as is. By default CSP doesn't allow scripts, so it is not executed.Fusion code
Expected behavior
HTML tags are escaped.
Your environment
1.13.1
The text was updated successfully, but these errors were encountered: