From d56a22fc295da4083f2ab11e719f920b5b1a0c93 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 16:19:00 -0800
Subject: [PATCH 01/11] Allow framesets

---
 packages/react-dom/src/client/validateDOMNesting.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/react-dom/src/client/validateDOMNesting.js b/packages/react-dom/src/client/validateDOMNesting.js
index c4190394d560..3bd82241c082 100644
--- a/packages/react-dom/src/client/validateDOMNesting.js
+++ b/packages/react-dom/src/client/validateDOMNesting.js
@@ -282,7 +282,9 @@ if (__DEV__) {
         );
       // https://html.spec.whatwg.org/multipage/semantics.html#the-html-element
       case 'html':
-        return tag === 'head' || tag === 'body';
+        return tag === 'head' || tag === 'body' || tag === 'frameset';
+      case 'frameset':
+        return tag === 'frame';
       case '#document':
         return tag === 'html';
     }
@@ -314,6 +316,7 @@ if (__DEV__) {
       case 'caption':
       case 'col':
       case 'colgroup':
+      case 'frameset':
       case 'frame':
       case 'head':
       case 'html':

From 38a27cb98541dd5c9fea8a985d03ace4cf9cfb57 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 16:49:37 -0800
Subject: [PATCH 02/11] Allow <html> to be used in integration tests

Full document renders requires server rendering so the client path
just uses the hydration path in this case to simplify writing these tests.
---
 .../ReactDOMServerIntegrationTestUtils.js     | 77 ++++++++++++++-----
 1 file changed, 57 insertions(+), 20 deletions(-)

diff --git a/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js b/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
index d45462e42c5b..57b00046dd78 100644
--- a/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
+++ b/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
@@ -19,6 +19,28 @@ module.exports = function(initModules) {
     ({ReactDOM, ReactDOMServer} = initModules());
   }
 
+  function shouldUseDocument(reactElement) {
+    // Used for whole document tests.
+    return reactElement && reactElement.type === 'html';
+  }
+
+  function getContainerFromMarkup(reactElement, markup) {
+    if (shouldUseDocument(reactElement)) {
+      const doc = document.implementation.createHTMLDocument('');
+      doc.open();
+      doc.write(
+        markup ||
+          '<!doctype html><html><meta charset=utf-8><title>test doc</title>',
+      );
+      doc.close();
+      return doc;
+    } else {
+      const container = document.createElement('div');
+      container.innerHTML = markup;
+      return container;
+    }
+  }
+
   // Helper functions for rendering tests
   // ====================================
 
@@ -97,9 +119,7 @@ module.exports = function(initModules) {
   // Does not render on client or perform client-side revival.
   async function serverRender(reactElement, errorCount = 0) {
     const markup = await renderIntoString(reactElement, errorCount);
-    const domElement = document.createElement('div');
-    domElement.innerHTML = markup;
-    return domElement.firstChild;
+    return getContainerFromMarkup(reactElement, markup).firstChild;
   }
 
   // this just drains a readable piped into it to a string, which can be accessed
@@ -133,27 +153,28 @@ module.exports = function(initModules) {
   // Does not render on client or perform client-side revival.
   async function streamRender(reactElement, errorCount = 0) {
     const markup = await renderIntoStream(reactElement, errorCount);
-    const domElement = document.createElement('div');
-    domElement.innerHTML = markup;
-    return domElement.firstChild;
+    return getContainerFromMarkup(reactElement, markup).firstChild;
   }
 
   const clientCleanRender = (element, errorCount = 0) => {
-    const div = document.createElement('div');
-    return renderIntoDom(element, div, false, errorCount);
+    if (shouldUseDocument(element)) {
+      // Documents can't be rendered from scratch.
+      return clientRenderOnServerString(element, errorCount);
+    }
+    const container = document.createElement('div');
+    return renderIntoDom(element, container, false, errorCount);
   };
 
   const clientRenderOnServerString = async (element, errorCount = 0) => {
     const markup = await renderIntoString(element, errorCount);
     resetModules();
 
-    const domElement = document.createElement('div');
-    domElement.innerHTML = markup;
-    let serverNode = domElement.firstChild;
+    let container = getContainerFromMarkup(element, markup);
+    let serverNode = container.firstChild;
 
     const firstClientNode = await renderIntoDom(
       element,
-      domElement,
+      container,
       true,
       errorCount,
     );
@@ -178,19 +199,35 @@ module.exports = function(initModules) {
 
   const clientRenderOnBadMarkup = async (element, errorCount = 0) => {
     // First we render the top of bad mark up.
-    const domElement = document.createElement('div');
-    domElement.innerHTML =
-      '<div id="badIdWhichWillCauseMismatch" data-reactroot="" data-reactid="1"></div>';
-    await renderIntoDom(element, domElement, true, errorCount + 1);
+
+    let container = getContainerFromMarkup(
+      element,
+      shouldUseDocument(element)
+        ? '<html><body><div id="badIdWhichWillCauseMismatch" /></body></html>'
+        : '<div id="badIdWhichWillCauseMismatch" data-reactroot="" data-reactid="1"></div>',
+    );
+
+    await renderIntoDom(element, container, true, errorCount + 1);
 
     // This gives us the resulting text content.
-    const hydratedTextContent = domElement.textContent;
+    const hydratedTextContent =
+      container.lastChild && container.lastChild.textContent;
 
     // Next we render the element into a clean DOM node client side.
-    const cleanDomElement = document.createElement('div');
-    await asyncReactDOMRender(element, cleanDomElement, true);
+    let cleanContainer;
+    if (shouldUseDocument(element)) {
+      // We can't render into a document during a clean render,
+      // so instead, we'll render the children into the document element.
+      cleanContainer = getContainerFromMarkup(element, '<html></html>')
+        .documentElement;
+      element = element.props.children;
+    } else {
+      cleanContainer = document.createElement('div');
+    }
+    await asyncReactDOMRender(element, cleanContainer, true);
     // This gives us the expected text content.
-    const cleanTextContent = cleanDomElement.textContent;
+    const cleanTextContent =
+      cleanContainer.lastChild && cleanContainer.lastChild.textContent;
 
     // The only guarantee is that text content has been patched up if needed.
     expect(hydratedTextContent).toBe(cleanTextContent);

From 968e0a0eafc27a69d3aac671d2836ba6daa62b22 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 00:18:44 -0800
Subject: [PATCH 03/11] Prevent javascript protocol URLs

---
 ...erIntegrationUntrustedURL-test.internal.js | 133 ++++++++++++++++++
 .../src/client/DOMPropertyOperations.js       |   4 +
 .../src/server/DOMMarkupOperations.js         |   5 +
 packages/react-dom/src/shared/DOMProperty.js  |  40 +++++-
 packages/react-dom/src/shared/sanitizeURL.js  |  28 ++++
 packages/shared/ReactFeatureFlags.js          |   3 +
 .../forks/ReactFeatureFlags.native-fb.js      |   1 +
 .../forks/ReactFeatureFlags.native-oss.js     |   1 +
 .../forks/ReactFeatureFlags.persistent.js     |   1 +
 .../forks/ReactFeatureFlags.test-renderer.js  |   1 +
 .../ReactFeatureFlags.test-renderer.www.js    |   1 +
 .../shared/forks/ReactFeatureFlags.www.js     |   1 +
 12 files changed, 218 insertions(+), 1 deletion(-)
 create mode 100644 packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
 create mode 100644 packages/react-dom/src/shared/sanitizeURL.js

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
new file mode 100644
index 000000000000..7c33a7032b23
--- /dev/null
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -0,0 +1,133 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ *
+ * @emails react-core
+ */
+
+/* eslint-disable no-script-url */
+
+'use strict';
+
+const ReactDOMServerIntegrationUtils = require('./utils/ReactDOMServerIntegrationTestUtils');
+
+let React;
+let ReactDOM;
+let ReactDOMServer;
+
+function initModules() {
+  jest.resetModuleRegistry();
+  const ReactFeatureFlags = require('shared/ReactFeatureFlags');
+  ReactFeatureFlags.disableJavaScriptURLs = true;
+
+  React = require('react');
+  ReactDOM = require('react-dom');
+  ReactDOMServer = require('react-dom/server');
+
+  // Make them available to the helpers.
+  return {
+    ReactDOM,
+    ReactDOMServer,
+  };
+}
+
+const {
+  resetModules,
+  itRenders,
+  itThrowsWhenRendering,
+} = ReactDOMServerIntegrationUtils(initModules);
+
+describe('ReactDOMServerIntegration', () => {
+  beforeEach(() => {
+    resetModules();
+  });
+
+  itRenders('a http link with the word javascript in it', async render => {
+    const e = await render(
+      <a href="http://javascript:0/thisisfine">Click me</a>,
+    );
+    expect(e.tagName).toBe('A');
+    expect(e.href).toBe('http://javascript:0/thisisfine');
+  });
+
+  itThrowsWhenRendering(
+    'a javascript protocol href',
+    render => render(<a href="javascript:notfine">p0wned</a>, 1),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol area href',
+    render =>
+      render(
+        <map>
+          <area href="javascript:notfine" />
+        </map>,
+        1,
+      ),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol form action',
+    render => render(<form action="javascript:notfine">p0wned</form>, 1),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol button formAction',
+    render => render(<input formAction="javascript:notfine" />, 1),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol input formAction',
+    render =>
+      render(<button formAction="javascript:notfine">p0wned</button>, 1),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol iframe src',
+    render => render(<iframe src="javascript:notfine" />, 1),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol frame src',
+    render =>
+      render(
+        <frameset>
+          <frame src="javascript:notfine" />
+        </frameset>,
+        1,
+      ),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol in an SVG link',
+    render =>
+      render(
+        <svg>
+          <a href="javascript:notfine" />
+        </svg>,
+        1,
+      ),
+    'XSS',
+  );
+
+  itThrowsWhenRendering(
+    'a javascript protocol in an SVG link with a namespace',
+    render =>
+      render(
+        <svg>
+          <a xlinkHref="javascript:notfine" />
+        </svg>,
+        1,
+      ),
+    'XSS',
+  );
+});
diff --git a/packages/react-dom/src/client/DOMPropertyOperations.js b/packages/react-dom/src/client/DOMPropertyOperations.js
index 9a186827fa70..8a325c2ffeac 100644
--- a/packages/react-dom/src/client/DOMPropertyOperations.js
+++ b/packages/react-dom/src/client/DOMPropertyOperations.js
@@ -15,6 +15,7 @@ import {
   BOOLEAN,
   OVERLOADED_BOOLEAN,
 } from '../shared/DOMProperty';
+import sanitizeURL from '../shared/sanitizeURL';
 
 import type {PropertyInfo} from '../shared/DOMProperty';
 
@@ -164,6 +165,9 @@ export function setValueForProperty(
       // `setAttribute` with objects becomes only `[object]` in IE8/9,
       // ('' + value) makes it output the correct toString()-value.
       attributeValue = '' + (value: any);
+      if (propertyInfo.sanitizeURL) {
+        sanitizeURL(attributeValue);
+      }
     }
     if (attributeNamespace) {
       node.setAttributeNS(attributeNamespace, attributeName, attributeValue);
diff --git a/packages/react-dom/src/server/DOMMarkupOperations.js b/packages/react-dom/src/server/DOMMarkupOperations.js
index 39dd3aee7f29..7792bbcb0d5a 100644
--- a/packages/react-dom/src/server/DOMMarkupOperations.js
+++ b/packages/react-dom/src/server/DOMMarkupOperations.js
@@ -17,6 +17,7 @@ import {
   shouldIgnoreAttribute,
   shouldRemoveAttribute,
 } from '../shared/DOMProperty';
+import sanitizeURL from '../shared/sanitizeURL';
 import quoteAttributeValueForBrowser from './quoteAttributeValueForBrowser';
 
 /**
@@ -58,6 +59,10 @@ export function createMarkupForProperty(name: string, value: mixed): string {
     if (type === BOOLEAN || (type === OVERLOADED_BOOLEAN && value === true)) {
       return attributeName + '=""';
     } else {
+      if (propertyInfo.sanitizeURL) {
+        value = '' + (value: any);
+        sanitizeURL(value);
+      }
       return attributeName + '=' + quoteAttributeValueForBrowser(value);
     }
   } else if (isAttributeNameSafe(name)) {
diff --git a/packages/react-dom/src/shared/DOMProperty.js b/packages/react-dom/src/shared/DOMProperty.js
index 3dd08203d495..e770e0f722cc 100644
--- a/packages/react-dom/src/shared/DOMProperty.js
+++ b/packages/react-dom/src/shared/DOMProperty.js
@@ -51,6 +51,7 @@ export type PropertyInfo = {|
   +mustUseProperty: boolean,
   +propertyName: string,
   +type: PropertyType,
+  +sanitizeURL: boolean,
 |};
 
 /* eslint-disable max-len */
@@ -186,6 +187,7 @@ function PropertyInfoRecord(
   mustUseProperty: boolean,
   attributeName: string,
   attributeNamespace: string | null,
+  sanitizeURL: boolean,
 ) {
   this.acceptsBooleans =
     type === BOOLEANISH_STRING ||
@@ -196,6 +198,7 @@ function PropertyInfoRecord(
   this.mustUseProperty = mustUseProperty;
   this.propertyName = name;
   this.type = type;
+  this.sanitizeURL = sanitizeURL;
 }
 
 // When adding attributes to this list, be sure to also add them to
@@ -223,6 +226,7 @@ const properties = {};
     false, // mustUseProperty
     name, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -240,6 +244,7 @@ const properties = {};
     false, // mustUseProperty
     attributeName, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -253,6 +258,7 @@ const properties = {};
     false, // mustUseProperty
     name.toLowerCase(), // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -272,6 +278,7 @@ const properties = {};
     false, // mustUseProperty
     name, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -308,6 +315,7 @@ const properties = {};
     false, // mustUseProperty
     name.toLowerCase(), // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -331,6 +339,7 @@ const properties = {};
     true, // mustUseProperty
     name, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -350,6 +359,7 @@ const properties = {};
     false, // mustUseProperty
     name, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -370,6 +380,7 @@ const properties = {};
     false, // mustUseProperty
     name, // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -381,6 +392,7 @@ const properties = {};
     false, // mustUseProperty
     name.toLowerCase(), // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -478,6 +490,7 @@ const capitalize = token => token[1].toUpperCase();
     false, // mustUseProperty
     attributeName,
     null, // attributeNamespace
+    false, // sanitizeURL
   );
 });
 
@@ -485,7 +498,6 @@ const capitalize = token => token[1].toUpperCase();
 [
   'xlink:actuate',
   'xlink:arcrole',
-  'xlink:href',
   'xlink:role',
   'xlink:show',
   'xlink:title',
@@ -502,6 +514,7 @@ const capitalize = token => token[1].toUpperCase();
     false, // mustUseProperty
     attributeName,
     'http://www.w3.org/1999/xlink',
+    false, // sanitizeURL
   );
 });
 
@@ -522,6 +535,7 @@ const capitalize = token => token[1].toUpperCase();
     false, // mustUseProperty
     attributeName,
     'http://www.w3.org/XML/1998/namespace',
+    false, // sanitizeURL
   );
 });
 
@@ -535,5 +549,29 @@ const capitalize = token => token[1].toUpperCase();
     false, // mustUseProperty
     attributeName.toLowerCase(), // attributeName
     null, // attributeNamespace
+    false, // sanitizeURL
+  );
+});
+
+// These attributes accept URLs. These must not allow javascript: URLS.
+// These will also need to accept Trusted Types object in the future.
+const xlinkHref = 'xlinkHref';
+properties[xlinkHref] = new PropertyInfoRecord(
+  'xlinkHref',
+  STRING,
+  false, // mustUseProperty
+  'xlink:href',
+  'http://www.w3.org/1999/xlink',
+  true, // sanitizeURL
+);
+
+['src', 'href', 'action', 'formAction'].forEach(attributeName => {
+  properties[attributeName] = new PropertyInfoRecord(
+    attributeName,
+    STRING,
+    false, // mustUseProperty
+    attributeName.toLowerCase(), // attributeName
+    null, // attributeNamespace
+    true, // sanitizeURL
   );
 });
diff --git a/packages/react-dom/src/shared/sanitizeURL.js b/packages/react-dom/src/shared/sanitizeURL.js
new file mode 100644
index 000000000000..d342f752f8f2
--- /dev/null
+++ b/packages/react-dom/src/shared/sanitizeURL.js
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+import invariant from 'shared/invariant';
+import warning from 'shared/warning';
+import ReactSharedInternals from 'shared/ReactSharedInternals';
+
+let ReactDebugCurrentFrame = null;
+if (__DEV__) {
+  ReactDebugCurrentFrame = ReactSharedInternals.ReactDebugCurrentFrame;
+}
+
+// TODO: This is not sufficient. Will include more.
+let isJavaScriptProtocol = /^\s*javascript\:/i;
+
+function sanitizeURL(url: string) {
+  invariant(
+    !isJavaScriptProtocol.test(url),
+    'XSS.%s',
+    __DEV__ ? ReactDebugCurrentFrame.getStackAddendum() : '',
+  );
+}
+
+export default sanitizeURL;
diff --git a/packages/shared/ReactFeatureFlags.js b/packages/shared/ReactFeatureFlags.js
index ac67f3d8ead1..39c81704cfd3 100644
--- a/packages/shared/ReactFeatureFlags.js
+++ b/packages/shared/ReactFeatureFlags.js
@@ -42,6 +42,9 @@ export function addUserTimingListener() {
   throw new Error('Not implemented.');
 }
 
+// Disable javascript: URL strings in href for XSS protection.
+export const disableJavaScriptURLs = false;
+
 // React Fire: prevent the value and checked attributes from syncing
 // with their related DOM properties
 export const disableInputAttributeSyncing = false;
diff --git a/packages/shared/forks/ReactFeatureFlags.native-fb.js b/packages/shared/forks/ReactFeatureFlags.native-fb.js
index b5cef5b36353..6a7833e06aab 100644
--- a/packages/shared/forks/ReactFeatureFlags.native-fb.js
+++ b/packages/shared/forks/ReactFeatureFlags.native-fb.js
@@ -24,6 +24,7 @@ export const enableStableConcurrentModeAPIs = false;
 export const warnAboutShorthandPropertyCollision = false;
 export const enableSchedulerDebugging = false;
 export const debugRenderPhaseSideEffectsForStrictMode = true;
+export const disableJavaScriptURLs = false;
 export const disableInputAttributeSyncing = false;
 export const replayFailedUnitOfWorkWithInvokeGuardedCallback = __DEV__;
 export const warnAboutDeprecatedLifecycles = true;
diff --git a/packages/shared/forks/ReactFeatureFlags.native-oss.js b/packages/shared/forks/ReactFeatureFlags.native-oss.js
index 25000d24f2fc..aa48eb40e288 100644
--- a/packages/shared/forks/ReactFeatureFlags.native-oss.js
+++ b/packages/shared/forks/ReactFeatureFlags.native-oss.js
@@ -20,6 +20,7 @@ export const warnAboutDeprecatedLifecycles = false;
 export const enableProfilerTimer = __PROFILE__;
 export const enableSchedulerTracing = __PROFILE__;
 export const enableSuspenseServerRenderer = false;
+export const disableJavaScriptURLs = false;
 export const disableInputAttributeSyncing = false;
 export const enableStableConcurrentModeAPIs = false;
 export const warnAboutShorthandPropertyCollision = false;
diff --git a/packages/shared/forks/ReactFeatureFlags.persistent.js b/packages/shared/forks/ReactFeatureFlags.persistent.js
index 6179f0da5634..345fee26407a 100644
--- a/packages/shared/forks/ReactFeatureFlags.persistent.js
+++ b/packages/shared/forks/ReactFeatureFlags.persistent.js
@@ -20,6 +20,7 @@ export const replayFailedUnitOfWorkWithInvokeGuardedCallback = __DEV__;
 export const enableProfilerTimer = __PROFILE__;
 export const enableSchedulerTracing = __PROFILE__;
 export const enableSuspenseServerRenderer = false;
+export const disableJavaScriptURLs = false;
 export const disableInputAttributeSyncing = false;
 export const enableStableConcurrentModeAPIs = false;
 export const warnAboutShorthandPropertyCollision = false;
diff --git a/packages/shared/forks/ReactFeatureFlags.test-renderer.js b/packages/shared/forks/ReactFeatureFlags.test-renderer.js
index 0798a7f7dff9..7153ac8c2990 100644
--- a/packages/shared/forks/ReactFeatureFlags.test-renderer.js
+++ b/packages/shared/forks/ReactFeatureFlags.test-renderer.js
@@ -20,6 +20,7 @@ export const replayFailedUnitOfWorkWithInvokeGuardedCallback = false;
 export const enableProfilerTimer = false;
 export const enableSchedulerTracing = false;
 export const enableSuspenseServerRenderer = false;
+export const disableJavaScriptURLs = false;
 export const disableInputAttributeSyncing = false;
 export const enableStableConcurrentModeAPIs = false;
 export const warnAboutShorthandPropertyCollision = false;
diff --git a/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js b/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js
index e51f5810e2e4..b97c5d8559ed 100644
--- a/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js
+++ b/packages/shared/forks/ReactFeatureFlags.test-renderer.www.js
@@ -23,6 +23,7 @@ export const enableSuspenseServerRenderer = false;
 export const enableStableConcurrentModeAPIs = false;
 export const enableSchedulerDebugging = false;
 export const warnAboutDeprecatedSetNativeProps = false;
+export const disableJavaScriptURLs = false;
 
 // Only used in www builds.
 export function addUserTimingListener() {
diff --git a/packages/shared/forks/ReactFeatureFlags.www.js b/packages/shared/forks/ReactFeatureFlags.www.js
index 3048979a9d32..d63c184065bf 100644
--- a/packages/shared/forks/ReactFeatureFlags.www.js
+++ b/packages/shared/forks/ReactFeatureFlags.www.js
@@ -16,6 +16,7 @@ export const {
   debugRenderPhaseSideEffectsForStrictMode,
   replayFailedUnitOfWorkWithInvokeGuardedCallback,
   warnAboutDeprecatedLifecycles,
+  disableJavaScriptURLs,
   disableInputAttributeSyncing,
   warnAboutShorthandPropertyCollision,
   warnAboutDeprecatedSetNativeProps,

From 3c7e4d41df0e912003ede3ba179913f71a98200e Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 13:25:09 -0800
Subject: [PATCH 04/11] Just warn when disableJavaScriptURLs is false

This avoids a breaking change.
---
 ...erIntegrationUntrustedURL-test.internal.js | 204 ++++++++++--------
 .../src/client/DOMPropertyOperations.js       |   8 +
 packages/react-dom/src/shared/sanitizeURL.js  |  20 +-
 3 files changed, 138 insertions(+), 94 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index 7c33a7032b23..87c474a8864a 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -17,33 +17,7 @@ let React;
 let ReactDOM;
 let ReactDOMServer;
 
-function initModules() {
-  jest.resetModuleRegistry();
-  const ReactFeatureFlags = require('shared/ReactFeatureFlags');
-  ReactFeatureFlags.disableJavaScriptURLs = true;
-
-  React = require('react');
-  ReactDOM = require('react-dom');
-  ReactDOMServer = require('react-dom/server');
-
-  // Make them available to the helpers.
-  return {
-    ReactDOM,
-    ReactDOMServer,
-  };
-}
-
-const {
-  resetModules,
-  itRenders,
-  itThrowsWhenRendering,
-} = ReactDOMServerIntegrationUtils(initModules);
-
-describe('ReactDOMServerIntegration', () => {
-  beforeEach(() => {
-    resetModules();
-  });
-
+function runTests(itRenders, itRejects) {
   itRenders('a http link with the word javascript in it', async render => {
     const e = await render(
       <a href="http://javascript:0/thisisfine">Click me</a>,
@@ -52,82 +26,134 @@ describe('ReactDOMServerIntegration', () => {
     expect(e.href).toBe('http://javascript:0/thisisfine');
   });
 
-  itThrowsWhenRendering(
-    'a javascript protocol href',
-    render => render(<a href="javascript:notfine">p0wned</a>, 1),
-    'XSS',
-  );
+  itRejects('a javascript protocol href', async render => {
+    const e = await render(<a href="javascript:notfine">p0wned</a>, 1);
+    expect(e.href).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol area href',
-    render =>
-      render(
-        <map>
-          <area href="javascript:notfine" />
-        </map>,
-        1,
-      ),
-    'XSS',
-  );
+  itRejects('a javascript protocol area href', async render => {
+    const e = await render(
+      <map>
+        <area href="javascript:notfine" />
+      </map>,
+      1,
+    );
+    expect(e.firstChild.href).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol form action',
-    render => render(<form action="javascript:notfine">p0wned</form>, 1),
-    'XSS',
-  );
+  itRejects('a javascript protocol form action', async render => {
+    const e = await render(<form action="javascript:notfine">p0wned</form>, 1);
+    expect(e.action).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol button formAction',
-    render => render(<input formAction="javascript:notfine" />, 1),
-    'XSS',
-  );
+  itRejects('a javascript protocol button formAction', async render => {
+    const e = await render(<input formAction="javascript:notfine" />, 1);
+    expect(e.getAttribute('formAction')).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol input formAction',
-    render =>
-      render(<button formAction="javascript:notfine">p0wned</button>, 1),
-    'XSS',
-  );
+  itRejects('a javascript protocol input formAction', async render => {
+    const e = await render(
+      <button formAction="javascript:notfine">p0wned</button>,
+      1,
+    );
+    expect(e.getAttribute('formAction')).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol iframe src',
-    render => render(<iframe src="javascript:notfine" />, 1),
-    'XSS',
-  );
+  itRejects('a javascript protocol iframe src', async render => {
+    const e = await render(<iframe src="javascript:notfine" />, 1);
+    expect(e.src).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol frame src',
-    render =>
-      render(
+  itRejects('a javascript protocol frame src', async render => {
+    const e = await render(
+      <html>
+        <head />
         <frameset>
           <frame src="javascript:notfine" />
-        </frameset>,
-        1,
-      ),
-    'XSS',
-  );
+        </frameset>
+      </html>,
+      1,
+    );
+    expect(e.lastChild.firstChild.src).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
-    'a javascript protocol in an SVG link',
-    render =>
-      render(
-        <svg>
-          <a href="javascript:notfine" />
-        </svg>,
-        1,
-      ),
-    'XSS',
-  );
+  itRejects('a javascript protocol in an SVG link', async render => {
+    const e = await render(
+      <svg>
+        <a href="javascript:notfine" />
+      </svg>,
+      1,
+    );
+    expect(e.firstChild.getAttribute('href')).toBe('javascript:notfine');
+  });
 
-  itThrowsWhenRendering(
+  itRejects(
     'a javascript protocol in an SVG link with a namespace',
-    render =>
-      render(
+    async render => {
+      const e = await render(
         <svg>
           <a xlinkHref="javascript:notfine" />
         </svg>,
         1,
-      ),
-    'XSS',
+      );
+      expect(
+        e.firstChild.getAttributeNS('http://www.w3.org/1999/xlink', 'href'),
+      ).toBe('javascript:notfine');
+    },
+  );
+}
+
+describe('ReactDOMServerIntegration - Untrusted URLs', () => {
+  function initModules() {
+    jest.resetModuleRegistry();
+    React = require('react');
+    ReactDOM = require('react-dom');
+    ReactDOMServer = require('react-dom/server');
+
+    // Make them available to the helpers.
+    return {
+      ReactDOM,
+      ReactDOMServer,
+    };
+  }
+
+  const {resetModules, itRenders} = ReactDOMServerIntegrationUtils(initModules);
+
+  beforeEach(() => {
+    resetModules();
+  });
+
+  runTests(itRenders, itRenders);
+});
+
+describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', () => {
+  function initModules() {
+    jest.resetModuleRegistry();
+    const ReactFeatureFlags = require('shared/ReactFeatureFlags');
+    ReactFeatureFlags.disableJavaScriptURLs = true;
+
+    React = require('react');
+    ReactDOM = require('react-dom');
+    ReactDOMServer = require('react-dom/server');
+
+    // Make them available to the helpers.
+    return {
+      ReactDOM,
+      ReactDOMServer,
+    };
+  }
+
+  const {
+    resetModules,
+    itRenders,
+    itThrowsWhenRendering,
+  } = ReactDOMServerIntegrationUtils(initModules);
+
+  beforeEach(() => {
+    resetModules();
+  });
+
+  runTests(itRenders, (message, test) =>
+    itThrowsWhenRendering(message, test, 'blocked a javascript: URL'),
   );
 });
diff --git a/packages/react-dom/src/client/DOMPropertyOperations.js b/packages/react-dom/src/client/DOMPropertyOperations.js
index 8a325c2ffeac..ada27844894b 100644
--- a/packages/react-dom/src/client/DOMPropertyOperations.js
+++ b/packages/react-dom/src/client/DOMPropertyOperations.js
@@ -16,6 +16,7 @@ import {
   OVERLOADED_BOOLEAN,
 } from '../shared/DOMProperty';
 import sanitizeURL from '../shared/sanitizeURL';
+import {disableJavaScriptURLs} from 'shared/ReactFeatureFlags';
 
 import type {PropertyInfo} from '../shared/DOMProperty';
 
@@ -35,6 +36,13 @@ export function getValueForProperty(
       const {propertyName} = propertyInfo;
       return (node: any)[propertyName];
     } else {
+      if (!disableJavaScriptURLs && propertyInfo.sanitizeURL) {
+        // If we haven't fully disabled javascript: URLs, and if
+        // the hydration is successful of a javascript: URL, we
+        // still want to warn on the client.
+        sanitizeURL(expected);
+      }
+
       const attributeName = propertyInfo.attributeName;
 
       let stringValue = null;
diff --git a/packages/react-dom/src/shared/sanitizeURL.js b/packages/react-dom/src/shared/sanitizeURL.js
index d342f752f8f2..88b5f1d068a1 100644
--- a/packages/react-dom/src/shared/sanitizeURL.js
+++ b/packages/react-dom/src/shared/sanitizeURL.js
@@ -8,6 +8,7 @@
 import invariant from 'shared/invariant';
 import warning from 'shared/warning';
 import ReactSharedInternals from 'shared/ReactSharedInternals';
+import {disableJavaScriptURLs} from 'shared/ReactFeatureFlags';
 
 let ReactDebugCurrentFrame = null;
 if (__DEV__) {
@@ -18,11 +19,20 @@ if (__DEV__) {
 let isJavaScriptProtocol = /^\s*javascript\:/i;
 
 function sanitizeURL(url: string) {
-  invariant(
-    !isJavaScriptProtocol.test(url),
-    'XSS.%s',
-    __DEV__ ? ReactDebugCurrentFrame.getStackAddendum() : '',
-  );
+  if (disableJavaScriptURLs) {
+    invariant(
+      !isJavaScriptProtocol.test(url),
+      'React has blocked a javascript: URL as a security precaution.%s',
+      __DEV__ ? ReactDebugCurrentFrame.getStackAddendum() : '',
+    );
+  } else if (__DEV__) {
+    warning(
+      !isJavaScriptProtocol.test(url),
+      'A future version of React will block javascript: URLs as a security precaution. ' +
+        'Use event handlers instead if you can. If you need to generate unsafe HTML try ' +
+        'using dangerouslySetInnerHTML instead.',
+    );
+  }
 }
 
 export default sanitizeURL;

From 8f89a99dc01f5beea6e0e213f1836695a4b465f5 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 18:32:13 -0800
Subject: [PATCH 05/11] Detect leading and intermediate characters and test
 mixed case

These are considered valid javascript urls by browser so they must be
included in the filter.

This is an exact match according to the spec but maybe we should include
a super set to be safer?
---
 ...erIntegrationUntrustedURL-test.internal.js | 21 +++++++++++++++++++
 packages/react-dom/src/shared/sanitizeURL.js  | 13 ++++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index 87c474a8864a..2ce5e5fd9ba4 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -31,6 +31,27 @@ function runTests(itRenders, itRejects) {
     expect(e.href).toBe('javascript:notfine');
   });
 
+  itRejects('a javascript protocol with leading spaces', async render => {
+    const e = await render(
+      <a href={'  \t \u0000\u001F\u0003javascript\n: notfine'}>p0wned</a>,
+      1,
+    );
+    // We use an approximate comparison here because JSDOM might not parse
+    // \u0000 in HTML properly.
+    expect(e.href).toContain('notfine');
+  });
+
+  itRejects(
+    'a javascript protocol with intermediate new lines and mixed casing',
+    async render => {
+      const e = await render(
+        <a href={'\t\r\n Jav\rasCr\r\niP\t\n\rt\n:notfine'}>p0wned</a>,
+        1,
+      );
+      expect(e.href).toBe('javascript:notfine');
+    },
+  );
+
   itRejects('a javascript protocol area href', async render => {
     const e = await render(
       <map>
diff --git a/packages/react-dom/src/shared/sanitizeURL.js b/packages/react-dom/src/shared/sanitizeURL.js
index 88b5f1d068a1..b4a8d99c083c 100644
--- a/packages/react-dom/src/shared/sanitizeURL.js
+++ b/packages/react-dom/src/shared/sanitizeURL.js
@@ -15,8 +15,17 @@ if (__DEV__) {
   ReactDebugCurrentFrame = ReactSharedInternals.ReactDebugCurrentFrame;
 }
 
-// TODO: This is not sufficient. Will include more.
-let isJavaScriptProtocol = /^\s*javascript\:/i;
+// A javascript: URL can contain leading C0 control or \u0020 SPACE,
+// and any newline or tab are filtered out as if they're not part of the URL.
+// https://url.spec.whatwg.org/#url-parsing
+// Tab or newline are defined as \r\n\t:
+// https://infra.spec.whatwg.org/#ascii-tab-or-newline
+// A C0 control is a code point in the range \u0000 NULL to \u001F
+// INFORMATION SEPARATOR ONE, inclusive:
+// https://infra.spec.whatwg.org/#c0-control-or-space
+
+/* eslint-disable max-len */
+const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
 function sanitizeURL(url: string) {
   if (disableJavaScriptURLs) {

From b9af76503d9161180166ccf51af052ba0cd30853 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Wed, 6 Mar 2019 18:51:48 -0800
Subject: [PATCH 06/11] Test updates to ensure we have coverage there too

---
 ...erIntegrationUntrustedURL-test.internal.js | 36 ++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index 2ce5e5fd9ba4..e0a6029d8b8f 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -17,7 +17,7 @@ let React;
 let ReactDOM;
 let ReactDOMServer;
 
-function runTests(itRenders, itRejects) {
+function runTests(itRenders, itRejects, expectToReject) {
   itRenders('a http link with the word javascript in it', async render => {
     const e = await render(
       <a href="http://javascript:0/thisisfine">Click me</a>,
@@ -122,6 +122,14 @@ function runTests(itRenders, itRejects) {
       ).toBe('javascript:notfine');
     },
   );
+
+  it('rejects a javascript protocol href if it is added during an update', () => {
+    let container = document.createElement('div');
+    ReactDOM.render(<a href="thisisfine">click me</a>, container);
+    expectToReject(() => {
+      ReactDOM.render(<a href="javascript:notfine">click me</a>, container);
+    });
+  });
 }
 
 describe('ReactDOMServerIntegration - Untrusted URLs', () => {
@@ -144,7 +152,14 @@ describe('ReactDOMServerIntegration - Untrusted URLs', () => {
     resetModules();
   });
 
-  runTests(itRenders, itRenders);
+  runTests(itRenders, itRenders, fn =>
+    expect(fn).toWarnDev(
+      'Warning: A future version of React will block javascript: URLs as a security precaution. ' +
+        'Use event handlers instead if you can. If you need to generate unsafe HTML try using ' +
+        'dangerouslySetInnerHTML instead.\n' +
+        '    in a (at **)',
+    ),
+  );
 });
 
 describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', () => {
@@ -174,7 +189,20 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
     resetModules();
   });
 
-  runTests(itRenders, (message, test) =>
-    itThrowsWhenRendering(message, test, 'blocked a javascript: URL'),
+  runTests(
+    itRenders,
+    (message, test) =>
+      itThrowsWhenRendering(message, test, 'blocked a javascript: URL'),
+    fn => {
+      let msg;
+      try {
+        fn();
+      } catch (x) {
+        msg = x.message;
+      }
+      expect(msg).toContain(
+        'React has blocked a javascript: URL as a security precaution.',
+      );
+    },
   );
 });

From 138f8343484f318c4ea824ce716c6c76a8db427e Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Mon, 11 Mar 2019 15:22:00 -0700
Subject: [PATCH 07/11] Fix toString invocation and Flow types

Right now we invoke toString twice when we hydrate (three times
with the flag off). Ideally we should only do it once even in this case
but the code structure doesn't really allow for that right now.
---
 ...erIntegrationUntrustedURL-test.internal.js | 29 +++++++++++++++++++
 .../ReactDOMServerIntegrationTestUtils.js     |  1 +
 .../src/client/DOMPropertyOperations.js       |  2 +-
 packages/react-dom/src/shared/sanitizeURL.js  |  4 ++-
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index e0a6029d8b8f..a5b9409edd2e 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -183,6 +183,8 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
     resetModules,
     itRenders,
     itThrowsWhenRendering,
+    clientRenderOnBadMarkup,
+    clientRenderOnServerString,
   } = ReactDOMServerIntegrationUtils(initModules);
 
   beforeEach(() => {
@@ -205,4 +207,31 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
       );
     },
   );
+
+  itRenders('only the first invocation of toString', async render => {
+    let expectedToStringCalls = 1;
+    if (
+      render === clientRenderOnBadMarkup ||
+      render === clientRenderOnServerString
+    ) {
+      // The hydration calls it one extra time.
+      expectedToStringCalls = 2;
+    }
+    let toStringCalls = 0;
+    let firstIsSafe = {
+      toString() {
+        // This tries to avoid the validation by pretending to be safe
+        // the first times it is called and then becomes dangerous.
+        toStringCalls++;
+        if (toStringCalls <= expectedToStringCalls) {
+          return 'https://fb.me/';
+        }
+        return 'javascript:notfine';
+      },
+    };
+
+    const e = await render(<a href={firstIsSafe} />);
+    expect(toStringCalls).toBe(expectedToStringCalls);
+    expect(e.href).toBe('https://fb.me/');
+  });
 });
diff --git a/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js b/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
index 57b00046dd78..55350b42a378 100644
--- a/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
+++ b/packages/react-dom/src/__tests__/utils/ReactDOMServerIntegrationTestUtils.js
@@ -357,6 +357,7 @@ module.exports = function(initModules) {
     asyncReactDOMRender,
     serverRender,
     clientCleanRender,
+    clientRenderOnBadMarkup,
     clientRenderOnServerString,
     renderIntoDom,
     streamRender,
diff --git a/packages/react-dom/src/client/DOMPropertyOperations.js b/packages/react-dom/src/client/DOMPropertyOperations.js
index ada27844894b..6a2d0f7d244a 100644
--- a/packages/react-dom/src/client/DOMPropertyOperations.js
+++ b/packages/react-dom/src/client/DOMPropertyOperations.js
@@ -40,7 +40,7 @@ export function getValueForProperty(
         // If we haven't fully disabled javascript: URLs, and if
         // the hydration is successful of a javascript: URL, we
         // still want to warn on the client.
-        sanitizeURL(expected);
+        sanitizeURL('' + (expected: any));
       }
 
       const attributeName = propertyInfo.attributeName;
diff --git a/packages/react-dom/src/shared/sanitizeURL.js b/packages/react-dom/src/shared/sanitizeURL.js
index b4a8d99c083c..d9281ca10994 100644
--- a/packages/react-dom/src/shared/sanitizeURL.js
+++ b/packages/react-dom/src/shared/sanitizeURL.js
@@ -3,6 +3,8 @@
  *
  * This source code is licensed under the MIT license found in the
  * LICENSE file in the root directory of this source tree.
+ *
+ * @flow
  */
 
 import invariant from 'shared/invariant';
@@ -10,7 +12,7 @@ import warning from 'shared/warning';
 import ReactSharedInternals from 'shared/ReactSharedInternals';
 import {disableJavaScriptURLs} from 'shared/ReactFeatureFlags';
 
-let ReactDebugCurrentFrame = null;
+let ReactDebugCurrentFrame = ((null: any): {getStackAddendum(): string});
 if (__DEV__) {
   ReactDebugCurrentFrame = ReactSharedInternals.ReactDebugCurrentFrame;
 }

From 8d9b293cac2fdb6f146acb997cbf05e376ef4b76 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Mon, 11 Mar 2019 15:25:11 -0700
Subject: [PATCH 08/11] s/itRejects/itRejectsRendering

---
 ...erIntegrationUntrustedURL-test.internal.js | 52 +++++++++++--------
 1 file changed, 29 insertions(+), 23 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index a5b9409edd2e..2bdb11449704 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -17,7 +17,7 @@ let React;
 let ReactDOM;
 let ReactDOMServer;
 
-function runTests(itRenders, itRejects, expectToReject) {
+function runTests(itRenders, itRejectsRendering, expectToReject) {
   itRenders('a http link with the word javascript in it', async render => {
     const e = await render(
       <a href="http://javascript:0/thisisfine">Click me</a>,
@@ -26,22 +26,25 @@ function runTests(itRenders, itRejects, expectToReject) {
     expect(e.href).toBe('http://javascript:0/thisisfine');
   });
 
-  itRejects('a javascript protocol href', async render => {
+  itRejectsRendering('a javascript protocol href', async render => {
     const e = await render(<a href="javascript:notfine">p0wned</a>, 1);
     expect(e.href).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol with leading spaces', async render => {
-    const e = await render(
-      <a href={'  \t \u0000\u001F\u0003javascript\n: notfine'}>p0wned</a>,
-      1,
-    );
-    // We use an approximate comparison here because JSDOM might not parse
-    // \u0000 in HTML properly.
-    expect(e.href).toContain('notfine');
-  });
+  itRejectsRendering(
+    'a javascript protocol with leading spaces',
+    async render => {
+      const e = await render(
+        <a href={'  \t \u0000\u001F\u0003javascript\n: notfine'}>p0wned</a>,
+        1,
+      );
+      // We use an approximate comparison here because JSDOM might not parse
+      // \u0000 in HTML properly.
+      expect(e.href).toContain('notfine');
+    },
+  );
 
-  itRejects(
+  itRejectsRendering(
     'a javascript protocol with intermediate new lines and mixed casing',
     async render => {
       const e = await render(
@@ -52,7 +55,7 @@ function runTests(itRenders, itRejects, expectToReject) {
     },
   );
 
-  itRejects('a javascript protocol area href', async render => {
+  itRejectsRendering('a javascript protocol area href', async render => {
     const e = await render(
       <map>
         <area href="javascript:notfine" />
@@ -62,17 +65,20 @@ function runTests(itRenders, itRejects, expectToReject) {
     expect(e.firstChild.href).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol form action', async render => {
+  itRejectsRendering('a javascript protocol form action', async render => {
     const e = await render(<form action="javascript:notfine">p0wned</form>, 1);
     expect(e.action).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol button formAction', async render => {
-    const e = await render(<input formAction="javascript:notfine" />, 1);
-    expect(e.getAttribute('formAction')).toBe('javascript:notfine');
-  });
+  itRejectsRendering(
+    'a javascript protocol button formAction',
+    async render => {
+      const e = await render(<input formAction="javascript:notfine" />, 1);
+      expect(e.getAttribute('formAction')).toBe('javascript:notfine');
+    },
+  );
 
-  itRejects('a javascript protocol input formAction', async render => {
+  itRejectsRendering('a javascript protocol input formAction', async render => {
     const e = await render(
       <button formAction="javascript:notfine">p0wned</button>,
       1,
@@ -80,12 +86,12 @@ function runTests(itRenders, itRejects, expectToReject) {
     expect(e.getAttribute('formAction')).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol iframe src', async render => {
+  itRejectsRendering('a javascript protocol iframe src', async render => {
     const e = await render(<iframe src="javascript:notfine" />, 1);
     expect(e.src).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol frame src', async render => {
+  itRejectsRendering('a javascript protocol frame src', async render => {
     const e = await render(
       <html>
         <head />
@@ -98,7 +104,7 @@ function runTests(itRenders, itRejects, expectToReject) {
     expect(e.lastChild.firstChild.src).toBe('javascript:notfine');
   });
 
-  itRejects('a javascript protocol in an SVG link', async render => {
+  itRejectsRendering('a javascript protocol in an SVG link', async render => {
     const e = await render(
       <svg>
         <a href="javascript:notfine" />
@@ -108,7 +114,7 @@ function runTests(itRenders, itRejects, expectToReject) {
     expect(e.firstChild.getAttribute('href')).toBe('javascript:notfine');
   });
 
-  itRejects(
+  itRejectsRendering(
     'a javascript protocol in an SVG link with a namespace',
     async render => {
       const e = await render(

From 38d6287e8e4138e79a2c78312157cc2c95273b18 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Mon, 11 Mar 2019 15:42:38 -0700
Subject: [PATCH 09/11] Dedupe warning and add the unsafe URL to the warning
 message

---
 ...MServerIntegrationUntrustedURL-test.internal.js | 14 +++++++++++---
 packages/react-dom/src/shared/sanitizeURL.js       | 10 +++++++---
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index 2bdb11449704..da3918241307 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -27,8 +27,16 @@ function runTests(itRenders, itRejectsRendering, expectToReject) {
   });
 
   itRejectsRendering('a javascript protocol href', async render => {
-    const e = await render(<a href="javascript:notfine">p0wned</a>, 1);
-    expect(e.href).toBe('javascript:notfine');
+    // Only the first one warns. The second warning is deduped.
+    const e = await render(
+      <div>
+        <a href="javascript:notfine">p0wned</a>
+        <a href="javascript:notfineagain">p0wned again</a>
+      </div>,
+      1,
+    );
+    expect(e.firstChild.href).toBe('javascript:notfine');
+    expect(e.lastChild.href).toBe('javascript:notfineagain');
   });
 
   itRejectsRendering(
@@ -162,7 +170,7 @@ describe('ReactDOMServerIntegration - Untrusted URLs', () => {
     expect(fn).toWarnDev(
       'Warning: A future version of React will block javascript: URLs as a security precaution. ' +
         'Use event handlers instead if you can. If you need to generate unsafe HTML try using ' +
-        'dangerouslySetInnerHTML instead.\n' +
+        'dangerouslySetInnerHTML instead. React was passed "javascript:notfine".\n' +
         '    in a (at **)',
     ),
   );
diff --git a/packages/react-dom/src/shared/sanitizeURL.js b/packages/react-dom/src/shared/sanitizeURL.js
index d9281ca10994..9e1034c1fe45 100644
--- a/packages/react-dom/src/shared/sanitizeURL.js
+++ b/packages/react-dom/src/shared/sanitizeURL.js
@@ -29,6 +29,8 @@ if (__DEV__) {
 /* eslint-disable max-len */
 const isJavaScriptProtocol = /^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
 
+let didWarn = false;
+
 function sanitizeURL(url: string) {
   if (disableJavaScriptURLs) {
     invariant(
@@ -36,12 +38,14 @@ function sanitizeURL(url: string) {
       'React has blocked a javascript: URL as a security precaution.%s',
       __DEV__ ? ReactDebugCurrentFrame.getStackAddendum() : '',
     );
-  } else if (__DEV__) {
+  } else if (__DEV__ && !didWarn && isJavaScriptProtocol.test(url)) {
+    didWarn = true;
     warning(
-      !isJavaScriptProtocol.test(url),
+      false,
       'A future version of React will block javascript: URLs as a security precaution. ' +
         'Use event handlers instead if you can. If you need to generate unsafe HTML try ' +
-        'using dangerouslySetInnerHTML instead.',
+        'using dangerouslySetInnerHTML instead. React was passed %s.',
+      JSON.stringify(url),
     );
   }
 }

From be4f5c8028976712a038d2820d342c18967f4fe7 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Mon, 11 Mar 2019 15:51:35 -0700
Subject: [PATCH 10/11] Add test that fails if g is added to the sanitizer

This only affects the prod version since the warning is deduped anyway.
---
 ...erIntegrationUntrustedURL-test.internal.js | 37 +++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index da3918241307..a01ff6a96c8e 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -201,6 +201,18 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
     clientRenderOnServerString,
   } = ReactDOMServerIntegrationUtils(initModules);
 
+  const expectToReject = fn => {
+    let msg;
+    try {
+      fn();
+    } catch (x) {
+      msg = x.message;
+    }
+    expect(msg).toContain(
+      'React has blocked a javascript: URL as a security precaution.',
+    );
+  };
+
   beforeEach(() => {
     resetModules();
   });
@@ -209,17 +221,7 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
     itRenders,
     (message, test) =>
       itThrowsWhenRendering(message, test, 'blocked a javascript: URL'),
-    fn => {
-      let msg;
-      try {
-        fn();
-      } catch (x) {
-        msg = x.message;
-      }
-      expect(msg).toContain(
-        'React has blocked a javascript: URL as a security precaution.',
-      );
-    },
+    expectToReject,
   );
 
   itRenders('only the first invocation of toString', async render => {
@@ -248,4 +250,17 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
     expect(toStringCalls).toBe(expectedToStringCalls);
     expect(e.href).toBe('https://fb.me/');
   });
+
+  it('rejects a javascript protocol href if it is added during an update twice', () => {
+    let container = document.createElement('div');
+    ReactDOM.render(<a href="thisisfine">click me</a>, container);
+    expectToReject(() => {
+      ReactDOM.render(<a href="javascript:notfine">click me</a>, container);
+    });
+    // The second update ensures that a global flag hasn't been added to the regex
+    // which would fail to match the second time it is called.
+    expectToReject(() => {
+      ReactDOM.render(<a href="javascript:notfine">click me</a>, container);
+    });
+  });
 });

From c8979c016814a120dcd56ef4e26a20802c3e60d7 Mon Sep 17 00:00:00 2001
From: Sebastian Markbage <sema@fb.com>
Date: Mon, 11 Mar 2019 16:25:15 -0700
Subject: [PATCH 11/11] Fix prod test

---
 ...ServerIntegrationUntrustedURL-test.internal.js | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
index a01ff6a96c8e..21a4cc1b6dc8 100644
--- a/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
+++ b/packages/react-dom/src/__tests__/ReactDOMServerIntegrationUntrustedURL-test.internal.js
@@ -226,13 +226,18 @@ describe('ReactDOMServerIntegration - Untrusted URLs - disableJavaScriptURLs', (
 
   itRenders('only the first invocation of toString', async render => {
     let expectedToStringCalls = 1;
-    if (
-      render === clientRenderOnBadMarkup ||
-      render === clientRenderOnServerString
-    ) {
-      // The hydration calls it one extra time.
+    if (render === clientRenderOnBadMarkup) {
+      // It gets called once on the server and once on the client
+      // which happens to share the same object in our test runner.
       expectedToStringCalls = 2;
     }
+    if (render === clientRenderOnServerString && __DEV__) {
+      // The hydration validation calls it one extra time.
+      // TODO: It would be good if we only called toString once for
+      // consistency but the code structure makes that hard right now.
+      expectedToStringCalls = 2;
+    }
+
     let toStringCalls = 0;
     let firstIsSafe = {
       toString() {