Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security guide #1760

Merged
merged 4 commits into from
Oct 24, 2019
Merged

Security guide #1760

merged 4 commits into from
Oct 24, 2019

Conversation

chrisvfritz
Copy link
Contributor

No description provided.

shentao
shentao approved these changes Aug 22, 2018
View reviewed changes
Copy link
Member

@shentao shentao left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks solid so far. I would also add a paragraph about using SSR that would lead to the SSR guide.

Edit: And here I am accidentally selecting approve instead of comment.

@chrisvfritz
Copy link
Contributor Author

@shentao I decided to leave out SSR (at least for now), since most people aren't using it and we already cover security concerns specific to SSR throughout the SSR docs rather than consolidated on a single page.

This was referenced Aug 22, 2018
Open
Closed
@shentao
Copy link
Member

shentao commented Aug 22, 2018
edited
Loading

What about a short "tip" like this:

Building Server-Side Rendered Applications, requires additional care to make the application secure. Please visit the ssr.vuejs.org to learn how to avoid common issues and vulnerabilities.

@chrisvfritz
Copy link
Contributor Author

@shentao I just added a note at the end. What do you think?

@shentao
Copy link
Member

shentao commented Aug 22, 2018

Perfect! Couldn’t write it better myself. 👍

@bwokich
Copy link

bwokich commented Aug 22, 2018

Thank you gentelemen! We really appreciate this!

@dandoyon
Copy link

Hi this is Dan Doyon from Doctor On Demand, thanks so much for starting the security guide. Being in the business of health care we need to ensure all our products are safe. We are very much looking forward to migrating from AngularJS 1.x to Vue.

@chrisvfritz chrisvfritz changed the title [WIP] Security guide Security guide Aug 24, 2018
yyx990803
yyx990803 reviewed Aug 26, 2018
View reviewed changes
src/v2/guide/security.md

```html
<style>{{ userProvidedStyles }}</style>
```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should note here that Vue will refuse to render <style> tags inside templates.

@yyx990803
Copy link
Member

yyx990803 commented Aug 26, 2018
edited
Loading

Looks great. There's one thing I would add: sometimes we receive vulnerability reports on how it's possible to do XSS in Vue templates - and we in general do not consider such cases actual vulnerabilities, because there are two possible cases for this to actual lead to a breach:

  1. The dev is explicitly asking Vue to render user-provided, unsanitized content as Vue templates. This is inherently unsafe and it's impractical for Vue to protect you from that.

  2. You are mounting Vue to an entire HTML page which happens to contain server-rendered & user-provided content. This is actually fundamentally the same with (1), but sometimes devs may do it without realizing it. This can lead to possible vulnerabilities where the attacker provides HTML which is safe as plain HTML but unsafe as a Vue template. The best practice is to never mount Vue on nodes that may contain server-rendered & user-provided content.

@sdras
Copy link
Member

sdras commented Apr 8, 2019

Hey @chrisvfritz! If you have time, could you please let me know where this one is at? I also wouldn't mind finishing it up for you if you're busy. Thanks!

@PhilipJohnBasile
Copy link

Looking to kick start this again @chrisvfritz .

@chrisvfritz chrisvfritz merged commit a031e11 into master Oct 24, 2019
@chrisvfritz chrisvfritz deleted the chrisvfritz/security-guide branch October 24, 2019 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yyx990803 yyx990803 yyx990803 left review comments

@nickmessing nickmessing nickmessing approved these changes

@shentao shentao shentao approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@chrisvfritz @shentao @bwokich @dandoyon @yyx990803 @sdras @PhilipJohnBasile @nickmessing