Skip second argument in React.createElement() about rfcs HOT 6 CLOSED

This has a possible security issue: if you pass a user-provided string as the first child of a component without props, the user may be able to misuse your API, allowing them to insert any props they’d like into the component.

from rfcs.

Here is user space solution:

const h = React.createElement;

React.createElement = (type, props, ...children) => {
  if (typeof props !== 'object') {
    children = [props, ...children];
    props = {};
  }

  return h(type, props, ...children);
};

from rfcs.

There's a library directly linked to by the React documentation that offers the syntax you're looking for.

https://github.com/mlmorg/react-hyperscript

from rfcs.

@streamich Thank you for your code:

• typeof == 'object' does not distinguish between arrays and objects (both are true)
• children can be an object as well
• my own user space solution checks if the first key in the object is $$typeof
• this is still very crude, could you improve my code?

@dantman hyperscript needs the children to be in an array, createElement doesn't, so using it actually adds a bit more overhead, that's why I'm looking to use createElement itself, or is it easy to turn off arrays in hyperscript somehow?

from rfcs.

@Superpencil Seems like a pretty small difference, but it does look like there is an issue on the topic and there is a branch in the repo linked that implements the behaviour you want.

I'd think it would be easier to convince the library to implement the behaviour you want than to get React to change how the API works for a use case that React.createElement isn't intended for.

from rfcs.

@dantman you're right, it's a small difference, I'll pursue the issue there, thank you!
@j-f1 Thank you! I was sharing my code in the hope someone would be able to point out some security issue :)

from rfcs.