Does VDOM support injecting a 'script' element?

[bryanchen-d]

Application or Package Used
@nteract/core

I'm evaluating if there is any XSS risks by turning on the VDOM transform, code like

VDOM({
    'tagName': 'script',
    'attributes':{},
    'children': "console.log(\"vdom\");alert(\"vdom\");"
})

would run, however the script is not executed, I am wondering if the content of VDOM object gets sanitized?

[captainsafia]

Transferring this to nteract/outputs.

The VDOM transform doesn't sanitize outputs. The reason the code isn't executed is because VDOM inserts elements into the UI using React's React.createElement API which inserts the element into React's virtual DOM, which is then copied to the browser's DOM. As a result, the script is never actually executed.