We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The text was updated successfully, but these errors were encountered:
轮播表以v-html的形式渲染元素,可以通过传入<span style="color:red;">text</span>这种形式的标签内容去修改颜色;分割线的设置,后续将优化轮播表,使其每一行,每一列都具有特定的类名,可使用css优化展示效果
v-html
<span style="color:red;">text</span>
Sorry, something went wrong.
这很危险,很多用户用轮播表的时候习惯直接把数据塞进去直接展示,v-html会带来XSS攻击的风险,如给一条数据是'<img src="color:#37a2da;" onerror="javascript:alert(1)" />',自定义内容可以提供render,样式就给有规则的类或提供自定义行列的类名。
'<img src="color:#37a2da;" onerror="javascript:alert(1)" />'
+1,已成功复现XSS并实现node环境下回连shell功能,导致客户端被任意代码执行。 建议轮播表提供slot而不是直接去编辑v-html
XSS
slot
No branches or pull requests
Feature request
这个特性解决了什么问题?
这个特性的实现形式?
是否愿意为此特性提交PR?
The text was updated successfully, but these errors were encountered: