1.5.1 release announcement

reactjs · Apr 24, 2015 · 2ba00cc · 2ba00cc
1 parent 719d5a4
commit 2ba00cc
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/site/jekyll/_posts/2015-04-23-1.5.1-release.md b/site/jekyll/_posts/2015-04-23-1.5.1-release.md
@@ -0,0 +1,25 @@
+---
+title: "ReactJS.NET 1.5.1 - Security update"
+layout: post
+author: Daniel Lo Nigro
+---
+
+I'm happy to announce the release of ReactJS.NET 1.5.1! This is a bug fix release and fixes a potential XSS issue with server-side rendering. JSON.NET does not escape HTML characters in its JSON output by default. As ReactJS.NET uses JSON.NET to output the props of server-side rendered components, a prop that accepts arbitrary user input could potentially contain script tags, allowing for XSS.
+
+Escaping of HTML is now enabled by default. If you are using custom JSON serializer settings, you can enable HTML escaping by setting `StringEscapeHandling` to `StringEscapeHandling.EscapeHtml`:
+
+```csharp
+ReactSiteConfiguration.Configuration.SetJsonSerializerSettings(
+  new JsonSerializerSettings
+  {
+    StringEscapeHandling = StringEscapeHandling.EscapeHtml
+  }
+);
+```
+
+Have fun, and as always, please feel free to send feedback or bug reports
+[on GitHub](https://github.com/reactjs/React.NET).
+
+— Daniel
+
+*Thanks to [Li Huan Jeow](https://www.linkedin.com/in/huan086) for the report.*