Error message and stack are inserted into a page when server-side rendering error occurs in dev mode.
Type of issue
Bug (maybe minor)
Current behavior
Add throw new Error('<script>alert(1)<script>') into Root compoentnt. Reload page: browser shows red page with error. Script tag inserted as is. By default CSP doesn't allow scripts, so it is not executed.
Fusion code
Expected behavior
HTML tags are escaped.
Your environment
- fusion-cli version:
1.13.1
Error message and stack are inserted into a page when server-side rendering error occurs in dev mode.
Type of issue
Bug (maybe minor)
Current behavior
Add
throw new Error('<script>alert(1)<script>')into Root compoentnt. Reload page: browser shows red page with error. Script tag inserted as is. By default CSP doesn't allow scripts, so it is not executed.Fusion code
Expected behavior
HTML tags are escaped.
Your environment
1.13.1