React Security
Priority: P0 (CRITICAL)
Preventing vulnerabilities in client-side apps.
Implementation Guidelines
- •XSS: Avoid
dangerouslySetInnerHTML. Sanitize viaDOMPurifyif needed. - •URLs: Validate
javascript:protocols in user links. - •Auth: Store tokens in
HttpOnlycookies. AvoidlocalStorage. - •Deps: Run
npm audit. Pin versions. - •Secrets: Server-side only. No
.envsecrets in build. - •CSP: Strict Content-Security-Policy headers.
Anti-Patterns
- •No
eval(): RCE risk. - •No Serialized State: Don't inject JSON into DOM without escaping.
- •No Client Logic for Permissions: Backend must validate.
Code
tsx
import DOMPurify from 'dompurify';
// Safe HTML Injection
function SafeHtml({ content }) {
const clean = DOMPurify.sanitize(content);
return <div dangerouslySetInnerHTML={{ __html: clean }} />;
}
// Bad Link Prevention
const safeUrl = url.startsWith('javascript:') ? '#' : url;
<a href={safeUrl}>Link</a>;
Related Topics
common/security-standards | typescript/security | component-patterns