Security docs in Plugins hanbook for developing in block editor context

[manooweb]

Hello,

As we discussed during a #core-editor meeting on wednesday 5th June
​https://wordpress.slack.com/archives/C02QB2JS7/p1559741727071700

it seems there is no guidelines about what a developer need to pay attention when he codes in javascript and espacially React technologies like that exists with PHP in the plugins handbook here ​https://developer.wordpress.org/plugins/security/

For example when we start and are new on these technologies we can ask ourselves some questions

• Do I need to use JSX instead of createElement because JSX is safe?

See ​https://reactjs.org/docs/react-without-jsx.html
and ​https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks

Is it the same because Babel compiles JSX down to React.createElement() calls?

• What about the use of dangerouslySetInnerHtml? The block editor use it internally. What should we pay attention to when we need to use it?

​https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml

• What should we never do?

Because we don't really know where to open the issue I'm going to also open it on the Gutenberg repository on Github

Regards

[manooweb]

issue on github ​https://github.com/WordPress/gutenberg/issues/16036

[SergeyBiryukov]

Hi @manooweb, welcome to WordPress Trac! Thanks for the report.

Please note that this Trac is used for enhancements and bug reporting for the WordPress core software. Any issues with WordPress.org sites, including developer handbooks, should be reported on ​https://meta.trac.wordpress.org.

I've transferred the report to ​#meta4504. Thanks again!

[manooweb]

ok thank you @SergeyBiryukov and sorry I didn't know it