-
-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
useHead script children
vulnerable to XSS
#173
Comments
+1 |
children
vulnerable to XSS
To give context, you are providing a string to the The primary use case for doing this, is to insert application scripts within the head, so raw scripts are allowed by default. There are many ways you can solve this on your end:
There isn't too much this package can do to avoid you from introducing XSS vulnerabilities into your app if you really want. I will consider the following though:
Both of these don't fix the "XSS", it's on the dev not to do silly things with user input |
Since @harlan-zw gave us this idea, I'm sure this issue is no longer a problem, but I'll share this issue's reproduction now, I'm looking forward to |
Hey, there are many XSS improvements to address this issue available since 1.1.0.
If you have any other ideas on how to improve XSS issues then please create a new issue! Happy to explore making the package as safe as possible without hindering DX. |
Environment
https://codesandbox.io/s/new-haze-rmtleo?file=/app.vue
Reproduction
Open the page and the alert will pop-up.
Describe the bug
The useHead can be used for XSS Attack.
In my application, the user's inputs are part of the 'application/ld+json' script for SEO purposes. And a users can insert a malicious script.
Additional context
Good to notice, the xss attack will work only if the script passed as a prop to a component.
The text was updated successfully, but these errors were encountered: