Bug: SVG executes contents of script tags.

[nhunzaker]

Script tags within SVG execute their contents when rendered with React. This is surprising, and creates opportunities for XSS attacks when rendering user generated content.

React version: 17.02, 18.2.0

Steps To Reproduce

1. Create an <svg> element with a <script> tag in it
2. Render that element
3. The children of that script tag will parse and execute as JavaScript

Link to code example:

https://codesandbox.io/s/modest-voice-kywwwu

The current behavior

In this example, you'll see that the script tag within HTML does not execute, however the script tag within SVG does.

The expected behavior

I would have expected the script's contents to be ignored in SVG, as it does in HTML.

[StefanoMartella]

Hi @nhunzaker,

I noticed the same behavior but it is probably wanted; SVG elements have their own namespace and behavior, separate from HTML elements which probably allows scripts execution. The same behavior is present in other libraries too (https://codesandbox.io/s/exciting-danny-cd7xqu?file=/src/app/app.component.html).

[github-actions]

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

[github-actions]

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please create a new issue with up-to-date information. Thank you!