From 65c9217610182b4d5db15868d4f72421d8637213 Mon Sep 17 00:00:00 2001 From: Amanvir Sangha Date: Tue, 13 Sep 2016 13:29:09 +0100 Subject: [PATCH] Update OWASP link in docs for dangerous innerHTML (#7710) --- tips/19-dangerously-set-inner-html.ko-KR.md | 2 +- tips/19-dangerously-set-inner-html.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tips/19-dangerously-set-inner-html.ko-KR.md b/tips/19-dangerously-set-inner-html.ko-KR.md index 8cdf522a..62360669 100644 --- a/tips/19-dangerously-set-inner-html.ko-KR.md +++ b/tips/19-dangerously-set-inner-html.ko-KR.md @@ -6,7 +6,7 @@ permalink: tips/dangerously-set-inner-html-ko-KR.html prev: children-undefined-ko-KR.html --- -부적절히 `innerHTML`를 사용하면 [사이트 간 스크립팅 (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) 공격에 노출됩니다. 화면의 사용자 입력을 정제하다(sanitize) 오류를 내기 쉬우며, 적절하게 사용자의 입력을 정제하지 못하면 인터넷 상 [웹 취약점의 원인](https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf)이 됩니다. +부적절히 `innerHTML`를 사용하면 [사이트 간 스크립팅 (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) 공격에 노출됩니다. 화면의 사용자 입력을 정제하다(sanitize) 오류를 내기 쉬우며, 적절하게 사용자의 입력을 정제하지 못하면 인터넷 상 [웹 취약점의 원인](https://www.owasp.org/index.php/Top_10_2013-Top_10)이 됩니다. 우리 설계철학은 안전을 "쉽게" 얻는 것입니다. 개발자는 그들의 의도를 명시적으로 알려야만 "안전하지 않는" 연산을 할 수 있습니다. `dangerouslySetInnerHTML` prop의 이름은 의도적으로 무섭게 만든 것인데, prop 값은 문자열이 아닌 객체이고 정제된 데이터를 지정하는데 쓸 수 있습니다. diff --git a/tips/19-dangerously-set-inner-html.md b/tips/19-dangerously-set-inner-html.md index 9f81ebc8..2b31393f 100644 --- a/tips/19-dangerously-set-inner-html.md +++ b/tips/19-dangerously-set-inner-html.md @@ -6,7 +6,7 @@ permalink: tips/dangerously-set-inner-html.html prev: children-undefined.html --- -Improper use of the `innerHTML` can open you up to a [cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) attack. Sanitizing user input for display is notoriously error-prone, and failure to properly sanitize is one of the [leading causes of web vulnerabilities](https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf) on the internet. +Improper use of the `innerHTML` can open you up to a [cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) attack. Sanitizing user input for display is notoriously error-prone, and failure to properly sanitize is one of the [leading causes of web vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-Top_10) on the internet. Our design philosophy is that it should be “easy” to make things safe, and developers should explicitly state their intent when performing “unsafe” operations. The prop name `dangerouslySetInnerHTML` is intentionally chosen to be frightening, and the prop value (an object instead of a string) can be used to indicate sanitized data.