From 3621d39ee97c79d20cac12349a2b8cc0647fce3b Mon Sep 17 00:00:00 2001 From: Rick Hanlon Date: Tue, 27 Feb 2024 10:42:41 -0500 Subject: [PATCH 1/2] Turn on disableJavaScriptURLs for experimental --- packages/shared/ReactFeatureFlags.js | 2 +- packages/shared/forks/ReactFeatureFlags.test-renderer.js | 2 +- packages/shared/forks/ReactFeatureFlags.test-renderer.www.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/shared/ReactFeatureFlags.js b/packages/shared/ReactFeatureFlags.js index 0d283614d344f..56b0df83540d6 100644 --- a/packages/shared/ReactFeatureFlags.js +++ b/packages/shared/ReactFeatureFlags.js @@ -145,7 +145,7 @@ export const disableLegacyContext = false; // Not ready to break experimental yet. // Disable javascript: URL strings in href for XSS protection. -export const disableJavaScriptURLs = false; +export const disableJavaScriptURLs = __NEXT_MAJOR__; // Not ready to break experimental yet. // Modern behaviour aligns more with what components diff --git a/packages/shared/forks/ReactFeatureFlags.test-renderer.js b/packages/shared/forks/ReactFeatureFlags.test-renderer.js index 0bc3beb753d89..d4211a5da0489 100644 --- a/packages/shared/forks/ReactFeatureFlags.test-renderer.js +++ b/packages/shared/forks/ReactFeatureFlags.test-renderer.js @@ -28,7 +28,7 @@ export const enableFormActions = true; // Doesn't affect Test Renderer export const enableBinaryFlight = true; export const enableTaint = true; export const enablePostpone = false; -export const disableJavaScriptURLs = false; +export const disableJavaScriptURLs = true; export const disableCommentsAsDOMContainers = true; export const disableInputAttributeSyncing = false; export const disableIEWorkarounds = true; diff --git a/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js b/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js index 034c8525cdc07..1c8a11466023c 100644 --- a/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js +++ b/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js @@ -28,7 +28,7 @@ export const enableFormActions = true; // Doesn't affect Test Renderer export const enableBinaryFlight = true; export const enableTaint = true; export const enablePostpone = false; -export const disableJavaScriptURLs = false; +export const disableJavaScriptURLs = true; export const disableCommentsAsDOMContainers = true; export const disableInputAttributeSyncing = false; export const disableIEWorkarounds = true; From 7bd6a55043df32adbf7890b6eb7f61ee25f3b014 Mon Sep 17 00:00:00 2001 From: Rick Hanlon Date: Tue, 27 Feb 2024 10:53:37 -0500 Subject: [PATCH 2/2] Remove unnecessary flag override --- .../src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.js | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.js index 808396610c48d..73d511985527c 100644 --- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.js +++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.js @@ -195,8 +195,6 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', ( function initModules() { jest.resetModules(); - const ReactFeatureFlags = require('shared/ReactFeatureFlags'); - ReactFeatureFlags.disableJavaScriptURLs = true; React = require('react'); ReactDOMClient = require('react-dom/client');