OSSForks/react
1
0
Fork 0
mirror of https://github.com/zebrajr/react.git synced 2026-01-15 12:15:22 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
Files
95319ab5afd384f5858f7c080573b9736e6b2f9c
react/scripts/error-codes
History
Sebastian Markbåge 72e02a8350 [Flight Reply] Don't allow Symbols to be passed to a reply (#28610) 
As mentioned in #28609 there's a potential security risk if you allow a
passed value to the server to spoof Elements because it allows a hacker
to POST cross origin. This is only an issue if your framework allows
this which it shouldn't but it seems like we should provide an extra
layer of security here.

```js
function action(errors, payload) {
  try {
    ...
  } catch (x) {
    return [newError].concat(errors);
  }
}
```
```js
const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;
```
This would allow you to construct a payload where the previous "errors"
set includes something like `<script src="danger.js" />`.

We could block only elements from being received but it could
potentially be a risk with creating other React types like Context too.
We use symbols as a way to securely brand these.

Most JS don't use this kind of branding with symbols like we do. They're
generally properties which we don't support anyway. However in theory
someone else could be using them like we do. So in an abundance of
carefulness I just ban all symbols from being passed (except by
temporary reference) - not just ours.

This means that the format isn't fully symmetric even beyond just React
Nodes.

#28611 allows code that includes symbols/elements to continue working
but may have to bail out to replaying instead of no JS sometimes.
However, you still can't access the symbols inside the server - they're
by reference only.
2024-03-21 16:53:02 -04:00
..
__tests__
Update jest escapeString config (#26140)
2023-02-10 00:08:37 +01:00
codes.json
[Flight Reply] Don't allow Symbols to be passed to a reply (#28610)
2024-03-21 16:53:02 -04:00
extract-errors.js
Follow-up improvements to error code extraction infra (#22516)
2021-10-31 15:37:32 -07:00
invertObject.js
[useFormState] Allow sync actions (#27571)
2023-10-31 23:32:31 -04:00
README.md
Follow-up improvements to error code extraction infra (#22516)
2021-10-31 15:37:32 -07:00
transform-error-messages.js
Upgrade prettier (#26081)
2023-01-31 08:25:05 -05:00
Types.js
Upgrade prettier (#26081)
2023-01-31 08:25:05 -05:00

README.md

The error code system substitutes React's error messages with error IDs to provide a better debugging support in production. Check out the blog post here.

  • codes.json contains the mapping from IDs to error messages. This file is generated by the Gulp plugin and is used by both the Babel plugin and the error decoder page in our documentation. This file is append-only, which means an existing code in the file will never be changed/removed.
  • extract-errors.js is an node script that traverses our codebase and updates codes.json. You can test it by running yarn extract-errors. It works by crawling the build artifacts directory, so you need to have either run the build script or downloaded pre-built artifacts (e.g. with yarn download build). It works with partial builds, too.
  • transform-error-messages is a Babel pass that rewrites error messages to IDs for a production (minified) build.
Reference in New Issue View Git Blame Copy Permalink