Security

Input sanitization

While React escapes potentially malicious inputs before rendering a view, major CSS-in-JS solutions bypass this step. This is also done by glaze to allow loading external resources (e.g. background images) on purpose.

User-specified data shall be escaped manually using CSS.escape() or an equivalent method.

Enforcing a CSP

In order to prevent harmful code injection on the web, a Content Security Policy (CSP) should be put in place.

During server-side rendering, a cryptographic nonce (number used once) may be embedded when generating a page on demand:

// Usage with webpack: https://webpack.js.org/guides/csp/

<StyleInjectorProvider nonce={__webpack_nonce__}>

{/* ... */}

</StyleInjectorProvider>

The same nonce parameter should be supplied to every <StyleInjectorProvider> in use.

Reporting a vulnerability

Please refer to the project's security policy to learn more about the responsible disclosure of potential threats.