Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP meta content is escaped #11

Open
vcarl opened this issue Sep 5, 2019 · 2 comments
Open

CSP meta content is escaped #11

vcarl opened this issue Sep 5, 2019 · 2 comments

Comments

@vcarl
Copy link

vcarl commented Sep 5, 2019
edited
Loading

A production build puts the following in my head, as seen in curl:

<meta
  http-equiv="Content-Security-Policy"
  content="script-src &#x27;self&#x27; &#x27;sha256-<hash>&#x27; &#x27;<hash>&#x27;;"
/>

The 's are being escaped to &#x27;, which is breaking the CSP. It looks like createElement is escaping the HTML entities, so this meta tag might need to be constructed a different way.
@vcarl
Copy link
Author

vcarl commented Sep 5, 2019

Been beating my head against this since opening the issue, am not sure what a fix is. I'm flat not able to get this package to work, I'm curious if there's a workaround I'm not seeing.

There's a confluence that makes this hard to fix: React doesn't support top-level dangerouslySetInnerHTML, and <meta> tags can't be nested within another tag. Drawing a blank on any other ways to ensure this property doesn't get escaped.

@fhelipe-turati-appnovation
Copy link

Hi, I'm getting the same issue with the ' in the ' ' place.... any news about this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vcarl @fhelipe-turati-appnovation