4

I'm taking user-inputted data from the server and rendering it back into an input element on the client, which is using Vue.

If I have <input :value="untrustedValue">, I imagine this opens up to XSS attacks just like vanilla HTML <input> such as, if a user types in "> <script>alert('XSS injection')</script>

Is this still the case when using the v-model attribute, considering that Vue does a little magic behind the scenes?

slanden
  • 959
  • 2
  • 13
  • 30
  • 1
    _"I image this opens up to XSS attacks"_ it does not and nor does `v-model` ~ https://jsfiddle.net/tbp7hkg6/ – Phil Aug 30 '19 at 02:58
  • 1
    The only thing you need to worry about is having `" – Phil Aug 30 '19 at 03:01
  • @Phil So, it's safe...given that an attacker writes their XSS injection with split ` – slanden Aug 30 '19 at 03:21
  • You asked if Vue was vulnerable to XSS via binding (including `v-model`) and the answer is no. Any ` – Phil Aug 30 '19 at 04:29
  • I think your comment could have been more clear if you said, **"yes, using untrusted data with any HTML element attributes, whether using Vue or not, is vulnerable to XSS attacks. Vue does not do anything special with binding or `v-model` to avoid this."** The "why" would be the issue with ` – slanden Aug 30 '19 at 18:12
  • The thing is, Vue does treat attribute binding specially. For example, you cannot inject `"` to break out of the current attribute value. The issue with ` – Phil Aug 30 '19 at 23:36
  • So although Vue does avoid some possible cases, untrusted user data still needs to be sanitized when using directly with attributes such as `value` or `v-model` because it doesn't avoid cases where an attacker injects ` – slanden Aug 31 '19 at 00:51
  • 1
    Not just with Vue but with any JavaScript – Phil Aug 31 '19 at 15:27

0 Answers0