Making WordPress.org

Opened 6 years ago

Closed 5 years ago

#4504 closed defect (bug) (reported-upstream)

Security docs in Plugins hanbook for developing in block editor context

Reported by: manooweb's profile manooweb Owned by:
Milestone: Priority: normal
Component: Developer Hub Keywords:
Cc:

Description

Hello,

As we discussed during a #core-editor meeting on wednesday 5th June
https://wordpress.slack.com/archives/C02QB2JS7/p1559741727071700

it seems there is no guidelines about what a developer need to pay attention when he codes in javascript and espacially React technologies like that exists with PHP in the plugins handbook here https://developer.wordpress.org/plugins/security/

For example when we start and are new on these technologies we can ask ourselves some questions

  • Do I need to use JSX instead of createElement because JSX is safe?

See https://reactjs.org/docs/react-without-jsx.html
and https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks

Is it the same because Babel compiles JSX down to React.createElement() calls?

  • What about the use of dangerouslySetInnerHtml? The block editor use it internally. What should we pay attention to when we need to use it?

https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml

  • What should we never do?

Because we don't really know where to open the issue I'm going to also open it on the Gutenberg repository on Github

Regards

Change History (2)

#1 @SergeyBiryukov
6 years ago

  • Component changed from General to Developer Hub

#2 @dd32
5 years ago

  • Resolution set to reported-upstream
  • Status changed from new to closed

I'm going to close this as a duplicate of the Gutenberg issue: https://github.com/WordPress/gutenberg/issues/16036

The Gutenberg team are the best ones to answer this and write up new documentation on what plugins should be doing here.

Note: See TracTickets for help on using tickets.