在 React 中解码字符串

Question

我正在显示用户对与 DomPurify 的反应的评论。 当用户输入危险字符串时：例如 ' 它被编码， 我怎样才能安全地解码它？

代码如下：

 <p className="donor-comment">
    {DOMPurify.sanitize(hit.comment)}
 </p>

提前致谢

Answer 1

您不必手动或使用 third-party 库（如 DOMPurify）来转义用户输入。 React DOM 默认执行它。

https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks

By default, React DOM escapes any values embedded in JSX before rendering them. Thus it ensures that you can never inject anything that’s not explicitly written in your application. Everything is converted to a string before being rendered. This helps prevent XSS (cross-site-scripting) attacks.