Skip to content

Instantly share code, notes, and snippets.

@milankinen
Created December 2, 2015 08:42
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save milankinen/d936f8c796a02be170e2 to your computer and use it in GitHub Desktop.
injektio ilman he:tä
const initial = JSON.parse(app.getAttribute('data-state'))
console.log(initial)
const page = state =>
<html>
<head>
<title>evil</title>
</head>
<body>
<div id="app" data-state={JSON.stringify(state)} />
<script type="text/javascript" src="/public/bundle.js" />
</body>
</html>
app.get("/", (req, res) => {
const EVIL_MOLLYLLA = {
"foo": "<script>alert('lol')</script>",
"<script>alert('bal')</script>": "tsers"
}
res.set("Content-Type", "text/html")
res.send(renderToStaticMarkup(page(EVIL_MOLLYLLA)))
})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment