Merge remote-tracking branch 'upstream/master'

facebook · Aug 1, 2018 · 473b52f · 473b52f
2 parents d7c57e5 + e341e50
commit 473b52f
Show file tree

Hide file tree

Showing 59 changed files with 16,905 additions and 117 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@
 
 </details>
 
+## 16.4.2 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
+* Fix a crash in the server renderer when an attribute is called `hasOwnProperty`. This fix is only available in `react-dom@16.4.2`. ([@gaearon](https://github.com/gaearon) in [#13303](https://github.com/facebook/react/pull/13303))
+
 ## 16.4.1 (June 13, 2018)
 
 ### React
@@ -70,6 +78,12 @@
 
 * The [new host config shape](https://github.com/facebook/react/blob/c601f7a64640290af85c9f0e33c78480656b46bc/packages/react-noop-renderer/src/createReactNoop.js#L82-L285) is flat and doesn't use nested objects. ([@gaearon](https://github.com/gaearon) in [#12792](https://github.com/facebook/react/pull/12792))
 
+## 16.3.3 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
 ## 16.3.2 (April 16, 2018)
 
 ### React
@@ -179,6 +193,12 @@
 
 * Fix a crash on updates. ([@rmhartog](https://github.com/rmhartog) in [#11955](https://github.com/facebook/react/pull/11955))
 
+## 16.2.1 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
 ## 16.2.0 (November 28, 2017)
 
 ### React
@@ -203,6 +223,12 @@
 
 * Many tests were rewritten against the public API. Big thanks to [everyone who contributed](https://github.com/facebook/react/issues/11299)!
 
+## 16.1.2 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
 ## 16.1.1 (November 13, 2017)
 
 ### React
@@ -293,6 +319,12 @@ Starting with 16.1.0, we will no longer be publishing new releases on Bower. You
 
 * First release of the [new experimental package](https://github.com/facebook/react/tree/master/packages/react-call-return) for parent-child communication. ([@gaearon](https://github.com/gaearon) in [#11364](https://github.com/facebook/react/pull/11364))
 
+## 16.0.1 (August 1, 2018)
+
+### React DOM Server
+
+* Fix a [potential XSS vulnerability when the attacker controls an attribute name](https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html) (`CVE-2018-6341`). This fix is available in the latest `react-dom@16.4.2`, as well as in previous affected minor versions: `react-dom@16.0.1`, `react-dom@16.1.2`, `react-dom@16.2.1`, and `react-dom@16.3.3`. ([@gaearon](https://github.com/gaearon) in [#13302](https://github.com/facebook/react/pull/13302))
+
 ## 16.0.0 (September 26, 2017)
 
 ### New JS Environment Requirements

diff --git a/fixtures/dom/src/components/fixtures/selects/index.js b/fixtures/dom/src/components/fixtures/selects/index.js
@@ -177,6 +177,31 @@ class SelectFixture extends React.Component {
             </form>
           </div>
         </TestCase>
+
+        <TestCase
+          title="An option which contains conditional render fails"
+          relatedIssues="11911">
+          <TestCase.Steps>
+            <li>Select any option</li>
+          </TestCase.Steps>
+          <TestCase.ExpectedResult>
+            Option should be set
+          </TestCase.ExpectedResult>
+
+          <div className="test-fixture">
+            <select value={this.state.value} onChange={this.onChange}>
+              <option value="red">
+                red {this.state.value === 'red' && 'is chosen '} TextNode
+              </option>
+              <option value="blue">
+                blue {this.state.value === 'blue' && 'is chosen '} TextNode
+              </option>
+              <option value="green">
+                green {this.state.value === 'green' && 'is chosen '} TextNode
+              </option>
+            </select>
+          </div>
+        </TestCase>
       </FixtureSet>
     );
   }

diff --git a/fixtures/unstable-async/suspense/.gitignore b/fixtures/unstable-async/suspense/.gitignore
@@ -0,0 +1,14 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+
+# dependencies
+node_modules
+
+# testing
+coverage
+
+# production
+build
+
+# misc
+.DS_Store
+npm-debug.log
diff --git a/fixtures/unstable-async/suspense/README.md b/fixtures/unstable-async/suspense/README.md
@@ -0,0 +1,26 @@
+# IO "suspense" demo
+
+## What is this fixture?
+
+This is a demo application based on [Dan Abramov's](https://github.com/gaearon) recent [JSConf Iceland talk](https://reactjs.org/blog/2018/03/01/sneak-peek-beyond-react-16.html) about React.
+
+It depends on a local build of React and enables us to easily test async and "suspense" APIs in a more "real world app" like context.
+
+## Can I use this code in production?
+
+No. The APIs being tested here are unstable and some of them have still not been released to NPM. For now, this fixture is only a test harness.
+
+## How do I run this fixture?
+
+```shell
+# 1: Build react from source
+cd /path/to/react
+yarn build -- dom,core,interaction,simple-cache-provider type=NODE
+
+# 2: Install fixture dependencies
+cd ./fixtures/suspense/io/
+yarn install
+
+# 3: Run the app
+yarn start
+```
diff --git a/fixtures/unstable-async/suspense/package.json b/fixtures/unstable-async/suspense/package.json
@@ -0,0 +1,41 @@
+{
+  "name": "io-demo",
+  "version": "0.1.0",
+  "private": true,
+  "homepage": ".",
+  "devDependencies": {
+    "gh-pages": "^1.1.0",
+    "react-scripts": "^1.1.4"
+  },
+  "dependencies": {
+    "clipboard": "^1.7.1",
+    "github-fork-ribbon-css": "^0.2.1",
+    "react": "../../../build/node_modules/react",
+    "react-dom": "../../../build/node_modules/react-dom",
+    "react-draggable": "^3.0.5",
+    "simple-cache-provider": "../../../build/node_modules/simple-cache-provider"
+  },
+  "scripts": {
+    "start": "react-scripts start",
+    "build": "react-scripts build",
+    "test": "react-scripts test --env=jsdom",
+    "eject": "react-scripts eject",
+    "deploy": "gh-pages -d build"
+  },
+  "eslintConfig": {
+    "extends": "./node_modules/react-scripts/config/eslint.js"
+  },
+  "browserslist": {
+    "development": [
+      "last 2 chrome versions",
+      "last 2 firefox versions",
+      "last 2 edge versions"
+    ],
+    "production": [
+      ">1%",
+      "last 4 versions",
+      "Firefox ESR",
+      "not ie < 11"
+    ]
+  }
+}
diff --git a/fixtures/unstable-async/suspense/public/favicon.ico b/fixtures/unstable-async/suspense/public/favicon.ico
diff --git a/fixtures/unstable-async/suspense/public/img/acdlite.jpeg b/fixtures/unstable-async/suspense/public/img/acdlite.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/bvaughn.jpeg b/fixtures/unstable-async/suspense/public/img/bvaughn.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/flarnie.jpeg b/fixtures/unstable-async/suspense/public/img/flarnie.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/gaearon.jpeg b/fixtures/unstable-async/suspense/public/img/gaearon.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/sebmarkbage.jpeg b/fixtures/unstable-async/suspense/public/img/sebmarkbage.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/sophiebits.jpeg b/fixtures/unstable-async/suspense/public/img/sophiebits.jpeg
diff --git a/fixtures/unstable-async/suspense/public/img/trueadm.jpeg b/fixtures/unstable-async/suspense/public/img/trueadm.jpeg
diff --git a/fixtures/unstable-async/suspense/public/index.html b/fixtures/unstable-async/suspense/public/index.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link rel="shortcut icon" href="./src/favicon.ico">
+    <title>Movie List</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <div id="debugger"></div>
+  </body>
+</html>
diff --git a/fixtures/unstable-async/suspense/public/manifest.json b/fixtures/unstable-async/suspense/public/manifest.json
@@ -0,0 +1,15 @@
+{
+  "short_name": "Emoji Search",
+  "name": "Emoji Search Example App",
+  "icons": [
+    {
+      "src": "favicon.ico",
+      "sizes": "64x64 32x32 24x24 16x16",
+      "type": "image/x-icon"
+    }
+  ],
+  "start_url": "./index.html",
+  "display": "standalone",
+  "theme_color": "#000000",
+  "background_color": "#ffffff"
+}