Generate safe javascript url instead of throwing with disableJavaScri…

…ptURLs is on (#26507) We currently throw an error when disableJavaScriptURLs is on and trigger an error boundary. I kind of thought that's what would happen with CSP or Trusted Types anyway. However, that's not what happens. Instead, in those environments what happens is that the error is triggered when you try to actually visit those links. So if you `preventDefault()` or something it'll never show up and since the error just logs to the console or to a violation logger, it's effectively a noop to users. We can simulate the same without CSP by simply generating a different `javascript:` url that throws instead of executing the potential attack vector. This still allows these to be used - at least as long as you preventDefault before using them in practice. This might be legit for forms. We still don't recommend using them for links-as-buttons since it'll be possible to "Open in a New Tab" and other weird artifacts. For links we still recommend the technique of assigning a button role etc. It also is a little nicer when an attack actually happens because at least it doesn't allow an attacker to trigger error boundaries and effectively deny access to a page. DiffTrain build for commit 4c2fc01.
facebook · Mar 30, 2023 · cf240d6 · cf240d6
1 parent b710933
commit cf240d6
Show file tree

Hide file tree

Showing 13 changed files with 19 additions and 19 deletions.
diff --git a/...ook-fbsource/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-dev.js b/...ook-fbsource/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-dev.js
@@ -23762,7 +23762,7 @@ function createFiberRoot(
   return root;
 }
 
-var ReactVersion = "18.3.0-next-f0aafa1a7-20230329";
+var ReactVersion = "18.3.0-next-4c2fc0190-20230329";
 
 // Might add PROFILE later.
 

diff --git a/...ok-fbsource/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-prod.js b/...ok-fbsource/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-prod.js
@@ -8640,7 +8640,7 @@ var devToolsConfig$jscomp$inline_1007 = {
     throw Error("TestRenderer does not support findFiberByHostInstance()");
   },
   bundleType: 0,
-  version: "18.3.0-next-f0aafa1a7-20230329",
+  version: "18.3.0-next-4c2fc0190-20230329",
   rendererPackageName: "react-test-renderer"
 };
 var internals$jscomp$inline_1198 = {
@@ -8671,7 +8671,7 @@ var internals$jscomp$inline_1198 = {
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 };
 if ("undefined" !== typeof __REACT_DEVTOOLS_GLOBAL_HOOK__) {
   var hook$jscomp$inline_1199 = __REACT_DEVTOOLS_GLOBAL_HOOK__;

diff --git a/...source/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-profiling.js b/...source/xplat/js/RKJSModules/vendor/react-test-renderer/cjs/ReactTestRenderer-profiling.js
@@ -9065,7 +9065,7 @@ var devToolsConfig$jscomp$inline_1050 = {
     throw Error("TestRenderer does not support findFiberByHostInstance()");
   },
   bundleType: 0,
-  version: "18.3.0-next-f0aafa1a7-20230329",
+  version: "18.3.0-next-4c2fc0190-20230329",
   rendererPackageName: "react-test-renderer"
 };
 var internals$jscomp$inline_1239 = {
@@ -9096,7 +9096,7 @@ var internals$jscomp$inline_1239 = {
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 };
 if ("undefined" !== typeof __REACT_DEVTOOLS_GLOBAL_HOOK__) {
   var hook$jscomp$inline_1240 = __REACT_DEVTOOLS_GLOBAL_HOOK__;

diff --git a/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-dev.js b/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-dev.js
@@ -27,7 +27,7 @@ if (
 }
           "use strict";
 
-var ReactVersion = "18.3.0-next-f0aafa1a7-20230329";
+var ReactVersion = "18.3.0-next-4c2fc0190-20230329";
 
 // ATTENTION
 // When adding new symbols to this file,

diff --git a/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-prod.js b/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-prod.js
@@ -639,4 +639,4 @@ exports.useSyncExternalStore = function (
   );
 };
 exports.useTransition = useTransition;
-exports.version = "18.3.0-next-f0aafa1a7-20230329";
+exports.version = "18.3.0-next-4c2fc0190-20230329";
diff --git a/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-profiling.js b/compiled-rn/facebook-fbsource/xplat/js/RKJSModules/vendor/react/cjs/React-profiling.js
@@ -642,7 +642,7 @@ exports.useSyncExternalStore = function (
   );
 };
 exports.useTransition = useTransition;
-exports.version = "18.3.0-next-f0aafa1a7-20230329";
+exports.version = "18.3.0-next-4c2fc0190-20230329";
 
           /* global __REACT_DEVTOOLS_GLOBAL_HOOK__ */
 if (

diff --git a/compiled-rn/facebook-fbsource/xplat/js/react-native-github/Libraries/Renderer/REVISION b/compiled-rn/facebook-fbsource/xplat/js/react-native-github/Libraries/Renderer/REVISION
@@ -1 +1 @@
-f0aafa1a7e3338871f60ac3ea8c1c92b8671520c
+4c2fc01900f50b5b1081a2fb8609ea2668bc05b6
diff --git a/...rce/xplat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-dev.fb.js b/...rce/xplat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-dev.fb.js
@@ -27028,7 +27028,7 @@ function createFiberRoot(
   return root;
 }
 
-var ReactVersion = "18.3.0-next-f0aafa1a7-20230329";
+var ReactVersion = "18.3.0-next-4c2fc0190-20230329";
 
 function createPortal$1(
   children,

diff --git a/...ce/xplat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-prod.fb.js b/...ce/xplat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-prod.fb.js
@@ -9507,7 +9507,7 @@ var roots = new Map(),
   devToolsConfig$jscomp$inline_1027 = {
     findFiberByHostInstance: getInstanceFromNode,
     bundleType: 0,
-    version: "18.3.0-next-f0aafa1a7-20230329",
+    version: "18.3.0-next-4c2fc0190-20230329",
     rendererPackageName: "react-native-renderer",
     rendererConfig: {
       getInspectorDataForViewTag: function () {
@@ -9549,7 +9549,7 @@ var internals$jscomp$inline_1273 = {
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 };
 if ("undefined" !== typeof __REACT_DEVTOOLS_GLOBAL_HOOK__) {
   var hook$jscomp$inline_1274 = __REACT_DEVTOOLS_GLOBAL_HOOK__;

diff --git a/...lat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-profiling.fb.js b/...lat/js/react-native-github/Libraries/Renderer/implementations/ReactFabric-profiling.fb.js
@@ -10215,7 +10215,7 @@ var roots = new Map(),
   devToolsConfig$jscomp$inline_1106 = {
     findFiberByHostInstance: getInstanceFromNode,
     bundleType: 0,
-    version: "18.3.0-next-f0aafa1a7-20230329",
+    version: "18.3.0-next-4c2fc0190-20230329",
     rendererPackageName: "react-native-renderer",
     rendererConfig: {
       getInspectorDataForViewTag: function () {
@@ -10270,7 +10270,7 @@ var roots = new Map(),
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 });
 exports.createPortal = function (children, containerTag) {
   return createPortal$1(

diff --git a/...t/js/react-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-dev.fb.js b/...t/js/react-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-dev.fb.js
@@ -27568,7 +27568,7 @@ function createFiberRoot(
   return root;
 }
 
-var ReactVersion = "18.3.0-next-f0aafa1a7-20230329";
+var ReactVersion = "18.3.0-next-4c2fc0190-20230329";
 
 function createPortal$1(
   children,

diff --git a/.../js/react-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-prod.fb.js b/.../js/react-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-prod.fb.js
@@ -9763,7 +9763,7 @@ var roots = new Map(),
   devToolsConfig$jscomp$inline_1086 = {
     findFiberByHostInstance: getInstanceFromTag,
     bundleType: 0,
-    version: "18.3.0-next-f0aafa1a7-20230329",
+    version: "18.3.0-next-4c2fc0190-20230329",
     rendererPackageName: "react-native-renderer",
     rendererConfig: {
       getInspectorDataForViewTag: function () {
@@ -9805,7 +9805,7 @@ var internals$jscomp$inline_1339 = {
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 };
 if ("undefined" !== typeof __REACT_DEVTOOLS_GLOBAL_HOOK__) {
   var hook$jscomp$inline_1340 = __REACT_DEVTOOLS_GLOBAL_HOOK__;

diff --git a/...eact-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-profiling.fb.js b/...eact-native-github/Libraries/Renderer/implementations/ReactNativeRenderer-profiling.fb.js
@@ -10471,7 +10471,7 @@ var roots = new Map(),
   devToolsConfig$jscomp$inline_1165 = {
     findFiberByHostInstance: getInstanceFromTag,
     bundleType: 0,
-    version: "18.3.0-next-f0aafa1a7-20230329",
+    version: "18.3.0-next-4c2fc0190-20230329",
     rendererPackageName: "react-native-renderer",
     rendererConfig: {
       getInspectorDataForViewTag: function () {
@@ -10526,7 +10526,7 @@ var roots = new Map(),
   scheduleRoot: null,
   setRefreshHandler: null,
   getCurrentFiber: null,
-  reconcilerVersion: "18.3.0-next-f0aafa1a7-20230329"
+  reconcilerVersion: "18.3.0-next-4c2fc0190-20230329"
 });
 exports.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED = {
   computeComponentStackForErrorReporting: function (reactTag) {