It is safe to embed user input in JSX:
像这样在JSX中嵌入用户输入是安全的:
const title = response.potentiallyMaliciousInput;
// This is safe:
const element =<h1>{title}</h1>;
By default, React DOM escapes any values embedded in JSX before rendering them.
默认情况,React DOM会在渲染前对嵌入JSX内的值进行转意。
Thus it ensures that you can never inject anything that's not explicitly written in your application.
这样做将确保你的应用不会被没有明确写的的东西注入。
Everything is converted to a string before being rendered. This helps prevent XSS (cross-site-scripting) attacks.
每个东西再被渲染前都会被转换为字符串。这样做会有效的防止XSS(跨站脚本)攻击。
网友评论