CSP: Remove unsafe-eval when vue isn't used #4747
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixing XSS through vue.
We should NEVER do something like this:
The fact that
v-
is present means that VueJs will parse the block (and all his descendants).If
@blah4
is{{ alert("lol") }}
, then the JS will be injected, as vue require CSPunsafe-eval
...Short story: If you use VueJS, DO NOT mix it with Razor templates. If you do, you need to be extra careful about whether or not the data come from user and is properly validated.
If you want to make VueJs ignore blocks, you need to use
v-pre
on the element. This is needed when you are using some partial pages which may be included in a page with vue.Credit to @cupc4k3
https://huntr.dev/bounties/ad1f917f-2b25-40ef-9215-c805354c683b/
Note that this PR also remove
unsafe-eval
to where I think vue isn't used.It may break things but tests are fine.