Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

useHead script children vulnerable to XSS #173

Closed
belomx opened this issue Dec 16, 2022 · 4 comments
Closed

useHead script children vulnerable to XSS #173

belomx opened this issue Dec 16, 2022 · 4 comments

Comments

@belomx
Copy link

belomx commented Dec 16, 2022

Environment
https://codesandbox.io/s/new-haze-rmtleo?file=/app.vue

Reproduction
Open the page and the alert will pop-up.

Describe the bug
The useHead can be used for XSS Attack.
In my application, the user's inputs are part of the 'application/ld+json' script for SEO purposes. And a users can insert a malicious script.

Additional context
Good to notice, the xss attack will work only if the script passed as a prop to a component.
@Skmt3P
Copy link

Skmt3P commented Dec 16, 2022

+1

@harlan-zw harlan-zw changed the title useHead function is vulnerable to XSS useHead script children vulnerable to XSS Dec 17, 2022
@harlan-zw
Copy link
Collaborator

harlan-zw commented Dec 17, 2022
edited
Loading

To give context, you are providing a string to the children of script, which accepts raw scripts.

The primary use case for doing this, is to insert application scripts within the head, so raw scripts are allowed by default.

There are many ways you can solve this on your end:

  • use @vueuse/schema-org
  • build the schema object as an object then create the string using JSON.stringify
  • provide the children as an object (it will be encoded for you automatically)
  • just sanitise the user input when you make the string

There isn't too much this package can do to avoid you from introducing XSS vulnerabilities into your app if you really want.

I will consider the following though:

  • if the script type is application/json we can sanitise the input to be JSON
  • introduce useHeadSafe to provide a bulletproof way to avoid XSS

Both of these don't fix the "XSS", it's on the dev not to do silly things with user input

@Skmt3P
Copy link

Skmt3P commented Jan 8, 2023

Since @harlan-zw gave us this idea, I'm sure this issue is no longer a problem, but I'll share this issue's reproduction now,
https://stackblitz.com/edit/nuxt-starter-nynkwv?file=app.vue

I'm looking forward to useHeadSafe() coming to Nuxt3 👍

@OhB00 OhB00 mentioned this issue Feb 7, 2023
Closed
@harlan-zw harlan-zw mentioned this issue Feb 16, 2023
Closed
@harlan-zw
Copy link
Collaborator

harlan-zw commented Feb 26, 2023
edited
Loading

Hey, there are many XSS improvements to address this issue available since 1.1.0.

If you have any other ideas on how to improve XSS issues then please create a new issue! Happy to explore making the package as safe as possible without hindering DX.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harlan-zw @belomx @Skmt3P