Skip to content

[Blazor] Security - interactive-server-side-rendering - script tags #34202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guardrex merged 2 commits into from
Dec 12, 2024
Merged

[Blazor] Security - interactive-server-side-rendering - script tags #34202

guardrex merged 2 commits into from
Dec 12, 2024

Conversation

@hakenr
Copy link
Member

@hakenr hakenr commented Nov 22, 2024
edited by github-actions bot
Loading

Script tags aren't allowed and shouldn't be included in the app's component render tree. If a script tag is included in a component's markup, a compile-time error is generated.

I'm not aware of any such compile-time behavior.
While it's not recommended to include script tags in your interactive components (since the behavior can be tricky), there's no built-in mechanism that prevents you from including a script tag in the render tree.

Internal previews

📄 File 🔗 Preview link
aspnetcore/blazor/security/interactive-server-side-rendering.md aspnetcore/blazor/security/interactive-server-side-rendering

@hakenr hakenr requested a review from guardrex as a code owner November 22, 2024 01:07
@guardrex
Copy link
Collaborator

guardrex commented Nov 22, 2024
edited
Loading

This goes back to the inception of the article five years ago on #13962, written by Javier and reviewed by Steve Sanderson and Ryan Nowak when he worked on Blazor. It's at Line 194 of ...

https://github.com/dotnet/AspNetCore.Docs/pull/13962/files#diff-4962dbf450346ed225e83e082be3ddbae62e523fd1980145aa2af347ec62a2eaR194

Stand-by while I get them on here to take a look.

@guardrex guardrex self-assigned this Nov 22, 2024
@guardrex
Copy link
Collaborator

guardrex commented Nov 25, 2024

UPDATE (11/25): There might be a delay. We're in the Thanksgiving 🦃 holiday season here, so it might take a week or longer to advance this. Stand-by, and we'll get back to this ASAP! 🏃‍♂

@guardrex
Copy link
Collaborator

guardrex commented Nov 27, 2024

I sent Javier another message on this. He might respond soon.

I'm going to perform an auto-responder workflow test on this PR for the Thanksgiving holiday 🦃 by taking my review assignment off and re-adding it.

@guardrex guardrex requested review from guardrex and javiercn and removed request for guardrex November 27, 2024 16:08
@SteveSandersonMS
Copy link
Member

SteveSandersonMS commented Dec 12, 2024

See dotnet/razor#8744

There used to be a compile-time error if you had a <script> inside .razor due to the tricky bits that @hakenr mentions, and because at that time we didn't think there were valid scenarios for people doing it.

However from .NET 8 onwards when we added full SSR support, we judged that there were important scenarios for using <script> with SSR so the balance tipped towards allowing it without any warnings or errors.

guardrex
guardrex approved these changes Dec 12, 2024
View reviewed changes
Copy link
Collaborator

@guardrex guardrex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @hakenr! I'll update a 2nd spot where this sentiment exists on a separate PR shortly.

@guardrex guardrex merged commit f538c9a into dotnet:main Dec 12, 2024
3 checks passed
@hakenr hakenr deleted the patch-39 branch December 12, 2024 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guardrex guardrex guardrex approved these changes

@javiercn javiercn Awaiting requested review from javiercn

Assignees

@guardrex guardrex

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hakenr @guardrex @SteveSandersonMS