escapeInject
Environment: server.
The escapeInject
string template tag sanitizes HTML to prevent security risks commonly called XSS injections.
If you use a UI framework Vike extension
vike-react
/vike-vue
/vike-solid
, then you don't need to useescapeInject
yourself asvike-react
/vike-vue
/vike-solid
already sanitizes its HTML.
It's usually used by the onRenderHtml()
hook.
All strings, e.g. title
above, are automatically sanitized (technically speaking: HTML-escaped)
so that we can safely include untrusted strings
such as user-generated text.
The dangerouslySkipEscape(str)
function injects the string str
as-is without sanitizing.
We should use dangerouslySkipEscape()
with a lot of caution and
only for HTML strings that are guaranteed to be already sanitized.
We usually use dangerouslySkipEscape()
for including HTML generated by UI frameworks (React/Vue/...) as these are already sanitized.
If we find ourselves using dangerouslySkipEscape()
in other situations, we should be extra careful as we run into the risk of creating a security breach.
HTML Fragments
We can assemble the overall HTML document from several HTML fragments. For example, if we want some HTML parts to be included only for certain pages:
pageContext.config.description
is a custom setting, see API >meta
> Example:title
anddescription
.
Example: