4

I'm taking user-inputted data from the server and rendering it back into an input element on the client, which is using Vue.

If I have <input :value="untrustedValue">, I imagine this opens up to XSS attacks just like vanilla HTML <input> such as, if a user types in "> <script>alert('XSS injection')</script>

Is this still the case when using the v-model attribute, considering that Vue does a little magic behind the scenes?

slanden
  • 1,199
  • 2
  • 15
  • 35
  • 1
    _"I image this opens up to XSS attacks"_ it does not and nor does `v-model` ~ https://jsfiddle.net/tbp7hkg6/ – Phil Aug 30 '19 at 02:58
  • 1
    The only thing you need to worry about is having `" – Phil Aug 30 '19 at 03:01
  • @Phil So, it's safe...given that an attacker writes their XSS injection with split ` – slanden Aug 30 '19 at 03:21
  • You asked if Vue was vulnerable to XSS via binding (including `v-model`) and the answer is no. Any ` – Phil Aug 30 '19 at 04:29
  • I think your comment could have been more clear if you said, **"yes, using untrusted data with any HTML element attributes, whether using Vue or not, is vulnerable to XSS attacks. Vue does not do anything special with binding or `v-model` to avoid this."** The "why" would be the issue with ` – slanden Aug 30 '19 at 18:12
  • The thing is, Vue does treat attribute binding specially. For example, you cannot inject `"` to break out of the current attribute value. The issue with ` – Phil Aug 30 '19 at 23:36
  • So although Vue does avoid some possible cases, untrusted user data still needs to be sanitized when using directly with attributes such as `value` or `v-model` because it doesn't avoid cases where an attacker injects ` – slanden Aug 31 '19 at 00:51
  • 1
    Not just with Vue but with any JavaScript – Phil Aug 31 '19 at 15:27
  • No, because `:value` doesn't insert anything into the HTML. But if you store an `v-model` value in some variable and insert it into HTML by `v-html`, you may have some problems with XSS – Alexey May 04 '23 at 20:40

0 Answers0