Skip to content

docs: Fix XSS vulnerability in JSON-LD guide example #79630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

docs: Fix XSS vulnerability in JSON-LD guide example #79630

wants to merge 2 commits into from

Conversation

TechManTejas
Copy link

Problem

The JSON-LD documentation example uses dangerouslySetInnerHTML with JSON.stringify() without proper escaping, creating an XSS vulnerability. Malicious content in product data (e.g., product.name containing </script><script>alert(1);</script>) could break out of the script tag and execute arbitrary JavaScript.

Solution

  • Added escapeJsonForScript() helper function that escapes < and > characters using Unicode escape sequences
  • Added security warning in documentation explaining the XSS risk
  • Added comment reminding developers to sanitize user data
  • Maintained example simplicity while making it secure

Security Impact

This change prevents potential XSS attacks that could occur when user-controlled data is included in JSON-LD structured data without proper escaping.

Testing

  • Verified the escaped JSON is still valid JSON-LD
  • Confirmed malicious payloads are properly escaped
  • Documentation renders correctly

Fixes: XSS vulnerability in JSON-LD documentation example

@TechManTejas
docs: Fix XSS vulnerability in JSON-LD guide example
3d89d91 
- Add escapeJsonForScript() helper to prevent script injection
- Add security warning about XSS risks with dangerouslySetInnerHTML
- Escape < and > characters using Unicode escape sequences
- Add comment about data sanitization requirements
@ijjk ijjk added the Documentation Related to Next.js' official documentation. label May 26, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 26, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: a54b9f3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ijjk
Copy link
Member

ijjk commented May 26, 2025
edited
Loading

Allow CI Workflow Run

  • approve CI run for commit: a54b9f3

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

@stefanprobst
Copy link
Contributor

i think this has been addressed in #79627

@TechManTejas
Copy link
Author

Yup

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 15, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
Documentation Related to Next.js' official documentation. locked
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TechManTejas @ijjk @stefanprobst