Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidCharacterError: Failed to execute 'createElement' #34

Closed
4 tasks done
bradmsmith opened this issue Oct 22, 2024 · 3 comments
Closed
4 tasks done

InvalidCharacterError: Failed to execute 'createElement' #34

bradmsmith opened this issue Oct 22, 2024 · 3 comments
Labels
🙅 no/wontfix This is not (enough of) an issue for this project 👎 phase/no Post cannot or will not be acted on

Comments

@bradmsmith
Copy link

bradmsmith commented Oct 22, 2024
edited
Loading

Initial checklist

Affected packages and versions

Latest

Link to runnable example

No response

Steps to reproduce

  1. Visit demo site: https://remarkjs.github.io/react-markdown/
  2. Delete demo text and replace with </p><</div>/span>/div><button&#160;onClick=alert(1)>
  3. Select the Use rehype-raw checkbox
  4. View error in Developer Tools Javascript Console

Expected behavior

Properly filter out malformed HTML tags and ASCII encoding of space (&#160;)

Actual behavior

Attempts to create a HTML element named <button&>

Note: if this is a bug in a dependency, I would appreciate if you could direct me to proper place to report issue. Posting it here because it only occurs when the rehypeRaw plugin is enabled for react-markdown.

Runtime

No response

Package manager

No response

OS

macOS

Build and bundle tools

No response
@github-actions github-actions bot added 👋 phase/new Post is being triaged automatically 🤞 phase/open Post is being triaged manually and removed 👋 phase/new Post is being triaged automatically labels Oct 22, 2024
@wooorm
Copy link
Member

wooorm commented Oct 22, 2024

Hi!

malformed HTML tags

Important to note is that there is no “malformed” HTML. Every case of the HTML parser is defined. Every character does something.
All these characters in your input have a meaning.

ASCII encoding of space (&#160;)

The term for these things is character references in HTML.
The decimal code 160 is hexadecimal A0. Which is non-breaking space.
Not a regular space.

However, in that place in HTML tags, character references are not supported. So this is not a non-breaking space. This is actually those characters.

When running into a problem, when raising an issue, I’d always recommend trying to make the reproduction smaller. Here’s what I came up with: <p><button&#160;a=b>.

Now. When loading that in a browser (document.body.innerHTML = '<p><button&#160;a=b>'), you will get this DOM:

<p>
  <button&#160;a=b></button&#160;a=b>
</p>

When creating that element with the DOM, you’d get:

document.createElement('button&#160;a=b')
// [Error: InvalidCharacterError: The string contains invalid characters.]

So. The error you get now with rehype-raw and React is exactly what happens when you do this yourself with the DOM.

I don’t think there’s an alternative.

I think the current behavior is good.

@wooorm
Copy link
Member

wooorm commented Nov 1, 2024

As mentioned, I do not think there is an alternative, this is how HTML and the DOM work

@wooorm wooorm closed this as not planned Won't fix, can't repro, duplicate, stale Nov 1, 2024
@wooorm wooorm added the 🙅 no/wontfix This is not (enough of) an issue for this project label Nov 1, 2024
@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@github-actions github-actions bot added 👎 phase/no Post cannot or will not be acted on and removed 🤞 phase/open Post is being triaged manually labels Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🙅 no/wontfix This is not (enough of) an issue for this project 👎 phase/no Post cannot or will not be acted on
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wooorm @bradmsmith