Input tag via Field component error messages susceptible to XSS

[CristinaSolana]

Overview of the problem

Buefy version: 0.8.17
Vuejs version: 2.X.X
OS/Browser:

Input tag via field component error messages susceptible to XSS. The issue is the v-html used here: https://github.com/buefy/buefy/blob/dev/src/components/field/Field.vue#L35

Steps to reproduce

1. Go to https://buefy.org/documentation/input
2. Scroll down to Icons section
3. in the email field enter: ">
4. Press Tab key

Expected behavior

The error message should not parse HTML (or sanitize it firs) so that XSS is not possible

Actual behavior

Error message parses HTML and allows XSS and therefore the alert pops with the document's domain

[jtommy]

What do you think if I add a message slot in order to use a custom content ?

[CristinaSolana]

Tbh, what I think would be great is if the message and the error were separate so you could have a custom message and custom error on the field, both without the use of v-html. :)

For the sake of not having an XSS by default on fields, I think a slot is a good compromise if it will eliminate the v-html.

[jtommy]

Close f0ff2ae