The rise in the client doing heavy lifting via libraries such as React is driving an increase in vulnerabilities.
Developers getting into React don't always realize that all the code is executed in the client and any input validation and authentication they come up with has to also exist on the server storing that data.
While those kinds of "junior developer confused by client vs server" vulnerabilities may be more common, the XSS vulnerabilities described in the article are likely being reduced by libraries like React. You really have to go through some contortions (including manipulating a property called dangerouslySetInnerHTML) to create the kind of insidious XSS vulnerabilities that were commonplace in server-rendered code a few years ago.
It used to be very easy for even experienced developers to accidentally forget to escape a variable somewhere. It took framework developers a while to realize that "escape" should be the default, and now we're at "escape by default and make the developer sign forms in triplicate to override". Which is healthy, I think.
React by default has pretty good XSS protection. That being said, "don't trust the client" has been something developers have struggled with ever since we started writing client/server software.
Not just pretty good, I mean to show code unescaped you need to write `dangerouslySetInnerHTML`.
I think it's a common misconception, heavy-weight software usually does pretty well with common problems. If you think of frameworks like Rails which make input validation easy, writing manual SQL almost obsolete (SQL injection) and even CSRF protection happens mostly transparently.
This has been the case since the advent of client side JavaScript. Validation can/should occur on the client side, but it MUST occur on the server side. These aren't new issues due to the use of new JavaScript libraries - they are problems that might be new to some developers.
It seems to me to be the exact opposite of this. If all of the data going from server to client comes through JSON to javascript, which usually means a JSON serializer and should correctly escape the data since you're not generating the JSON by hand, then there is no chance for traditional XSS attacks since the only remaining vector would be doing manual DOM building by concatenating strings, which you generally don't do in React. Now CSRF attacks I would believe you, but not XSS with React.
Completely agree! The post actually alludes to that a bit towards the end.
> Single Page Apps increase the amount of client side logic and user input processing. This makes them more likely to be vulnerable to DOM-based XSS, which, as previously mentioned, is very difficult for website owners to detect.
The more significant work we do on the client, the more interesting it becomes as an attack vector.
Developers getting into React don't always realize that all the code is executed in the client and any input validation and authentication they come up with has to also exist on the server storing that data.