npm
Sign UpSign In

react-safe-json-ld
TypeScript icon, indicating that this package has built-in type declarations

1.0.1 • Public • Published

react-safe-json-ld

npm versionnpm bundle sizenpm weekly downloads

React component that renders a <script type="application/ld+json"> tag with your passed JSON-LD data, in a way that prevents Cross-Site Scripting (XSS) attacks.

This differs from other implementations in that it escapes dangerous characters in the JSON data with unicode escape sequences (\uXXXX), rather than HTML entities (&lt;, &gt; etc). This means the data does not need to be "decoded" beyond simply JSON parsing it, which is more cross-platform friendly.

Installation

npm install --save react-safe-json-ld

Usage

import {JsonLD, type JsonLDData} from 'react-safe-json-ld'

const structuredData: JsonLDData = {
  '@context': 'https://schema.org/',
  '@type': 'Person',
  name: 'Espen Hovlandsdal',
}

function MyComponent() {
  return (
    <head>
      <JsonLd data={structuredData} />
    </head>
  )
}

Alternative usage

import {encodeJsonLD, type JsonLDData} from 'react-safe-json-ld'

const structuredData: JsonLDData = {
  '@context': 'https://schema.org/',
  '@type': 'Person',
  name: 'Dmitry Kalinin',
}

const encodedData = encodeJsonLD(structuredData)

function MyComponent() {
  return (
    <script
      type="application/ld+json"
      dangerouslySetInnerHTML={{__html: encodedData}}
    />
  )
}

Isn't JSON data safe by default?

Kind of! But not when you put JSON inside of HTML, necessarily. In particular, putting HTML inside of JSON is totally legal, but can lead to big security issues. Consider the following:

<script type="application/ld+json">
{
  "@context": "https://schema.org/",
  "@type": "Person",
  "name": "👋 Attacker here </script><script>alert('I see a problem')",
}
</script>

This will be interpreted as an invalid JSON-LD object, which the browser ignores, but it also opens up a new script tag and executes the JavaScript contained there. If you are using data from an untrusted source (such as user-contributed content), this can be a big problem.

This library attempts to solve this problem, by escaping the JSON data in a way that makes it safe to put inside of HTML. The above example would be escaped to:

<script type="application/ld+json">
{
  "@context": "https://schema.org/",
  "@type": "Person",
  "name": "👋 Attacker here \u003c/script\u003eu003cscriptu003ealert('I see a problem')",
}
</script>

License

MIT © Espen Hovlandsdal

Readme

Keywords

Package Sidebar

Install

npm i react-safe-json-ld

Repository

github.com/rexxars/react-safe-json-ld

Homepage

github.com/rexxars/react-safe-json-ld#readme

Weekly Downloads

3

Version

1.0.1

License

MIT

Unpacked Size

16.7 kB

Total Files

12

Last publish

Collaborators

  • rexxars
Try on RunKit
Report malware