Opened 6 years ago
Closed 5 years ago
#4504 closed defect (bug) (reported-upstream)
Security docs in Plugins hanbook for developing in block editor context
Reported by: | manooweb | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Developer Hub | Keywords: | |
Cc: |
Description
Hello,
As we discussed during a #core-editor meeting on wednesday 5th June
https://wordpress.slack.com/archives/C02QB2JS7/p1559741727071700
it seems there is no guidelines about what a developer need to pay attention when he codes in javascript and espacially React technologies like that exists with PHP in the plugins handbook here https://developer.wordpress.org/plugins/security/
For example when we start and are new on these technologies we can ask ourselves some questions
- Do I need to use JSX instead of createElement because JSX is safe?
See https://reactjs.org/docs/react-without-jsx.html
and https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks
Is it the same because Babel compiles JSX down to React.createElement() calls?
- What about the use of dangerouslySetInnerHtml? The block editor use it internally. What should we pay attention to when we need to use it?
https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml
- What should we never do?
Because we don't really know where to open the issue I'm going to also open it on the Gutenberg repository on Github
Regards
I'm going to close this as a duplicate of the Gutenberg issue: https://github.com/WordPress/gutenberg/issues/16036
The Gutenberg team are the best ones to answer this and write up new documentation on what plugins should be doing here.