-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    {
+      "type": "patch",
+      "comment": "fix: prevent XSS theme vulnerability during SSR",
+      "packageName": "@fluentui/react-provider",
+      "email": "martinhochel@microsoft.com",
+      "dependentChangeType": "patch"
+    }

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,4 +16,17 @@ describe('createCSSRuleFromTheme', () => { @@
           `".selector { --borderRadiusLarge: 10px; --colorBackgroundOverlay: rgba(0, 0, 0, 0.4);  }"`,
         );
       });
+      it('prevents XSS by replacing angle brackets that could inject HTML', () => {
+        const theme = {
+          colorBrandBackground: '</style><script>alert("xss")</script>',
+        } as PartialTheme;
+        const result = createCSSRuleFromTheme('.selector', theme);
+        expect(result).not.toContain('<');
+        expect(result).not.toContain('>');
+        expect(result).toMatchInlineSnapshot(
+          `".selector { --colorBrandBackground: \\\\3C /style\\\\3E \\\\3C script\\\\3E alert(\\"xss\\")\\\\3C /script\\\\3E ;  }"`,
+        );
+      });
     });

-Original file line number
+Diff line change
@@ -1,5 +1,21 @@
     import type { PartialTheme } from '@fluentui/react-theme';
+    const CSS_ESCAPE_MAP = {
+      '<': '\\3C ',
+      '>': '\\3E ',
+    };
+    /**
+     * Escapes characters that could break out of a <style> tag during SSR.
+     *
+     * IMPORTANT: Do not strip quotes. Theme values legitimately include quoted font families and other CSS.
+     * We only need to ensure the generated text cannot terminate the style tag and inject HTML.
+     */
+    function escapeForStyleTag(value: string): string {
+      // Escape as CSS code points so the resulting CSS still represents the same characters.
+      // Using CSS escapes prevents the HTML parser from seeing a literal '<' / '>' and closing <style>.
+      return value.replace(/[<>]/g, match => CSS_ESCAPE_MAP[match as keyof typeof CSS_ESCAPE_MAP]);
+    }
     /**
      * Creates a CSS rule from a theme object.
      *
@@ Expand All @@
           return `${cssVarRule}--${cssVar}: ${theme[cssVar]}; `;
         }, '');
-        return `${selector} { ${cssVarsAsString} }`;
+        return `${selector} { ${escapeForStyleTag(cssVarsAsString)} }`;
       }
       return `${selector} {}`;
@@ Expand Down @@

fix(react-provider): prevent XSS theme vulnerability during SSR #35717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Feb 6, 2026

+37 −1

-Original file line number
+Diff line change
@@ -0,0 +1,7 @@
+    {
+      "type": "patch",
+      "comment": "fix: prevent XSS theme vulnerability during SSR",
+      "packageName": "@fluentui/react-provider",
+      "email": "martinhochel@microsoft.com",
+      "dependentChangeType": "patch"
+    }

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,4 +16,17 @@ describe('createCSSRuleFromTheme', () => { @@
           `".selector { --borderRadiusLarge: 10px; --colorBackgroundOverlay: rgba(0, 0, 0, 0.4);  }"`,
         );
       });
+      it('prevents XSS by replacing angle brackets that could inject HTML', () => {
+        const theme = {
+          colorBrandBackground: '</style><script>alert("xss")</script>',
+        } as PartialTheme;
+        const result = createCSSRuleFromTheme('.selector', theme);
+        expect(result).not.toContain('<');
+        expect(result).not.toContain('>');
+        expect(result).toMatchInlineSnapshot(
+          `".selector { --colorBrandBackground: \\\\3C /style\\\\3E \\\\3C script\\\\3E alert(\\"xss\\")\\\\3C /script\\\\3E ;  }"`,
+        );
+      });
     });

-Original file line number
+Diff line change
@@ -1,5 +1,21 @@
     import type { PartialTheme } from '@fluentui/react-theme';
+    const CSS_ESCAPE_MAP = {
+      '<': '\\3C ',
+      '>': '\\3E ',
+    };
+    /**
+     * Escapes characters that could break out of a <style> tag during SSR.
+     *
+     * IMPORTANT: Do not strip quotes. Theme values legitimately include quoted font families and other CSS.
+     * We only need to ensure the generated text cannot terminate the style tag and inject HTML.
+     */
+    function escapeForStyleTag(value: string): string {
+      // Escape as CSS code points so the resulting CSS still represents the same characters.
+      // Using CSS escapes prevents the HTML parser from seeing a literal '<' / '>' and closing <style>.
+      return value.replace(/[<>]/g, match => CSS_ESCAPE_MAP[match as keyof typeof CSS_ESCAPE_MAP]);
+    }
     /**
      * Creates a CSS rule from a theme object.
      *
@@ Expand All @@
           return `${cssVarRule}--${cssVar}: ${theme[cssVar]}; `;
         }, '');
-        return `${selector} { ${cssVarsAsString} }`;
+        return `${selector} { ${escapeForStyleTag(cssVarsAsString)} }`;
       }
       return `${selector} {}`;
@@ Expand Down @@

Provide feedback