Safer state serialization

New in 2.0.0

This version introduces a small change to the way state works, but it's not backwards compatible.

Before, state would be serialized into the window object using dangerouslySetInnerHTML. This is not safe because of XSS vulnerabilities, so instead we're rendering the state on a div element on the page. For grabbing the state on the client, you'll now use that div and parse its data attribute .

const state = window.__state;

becomes

const state = JSON.parse(document.getElementById('__state').dataset.state);