Rule Proposal: `no-v-html` to prevent potential XSS attacks #434

n-zeplo · 2018-03-16T22:29:41Z

Please describe what the rule should do:

This rule errors or warns developers of the use of v-html and its potential to lead to XSS attacks.

What category of rule is this? (place an "X" next to just one item)

[ ] Enforces code style
[ ] Warns about a potential error
[ ] Suggests an alternate way of doing something
[X] Other (please specify:) Security enhancement

Provide 2-3 code examples that this rule will warn about:

Why should this rule be included?

Injecting unescaped html into the view can be unsafe depending on the source of the html. If it ties into user input it has the potential for XSS attacks. This rule should be able to set as warning and optional as this directive might be needed for trusted HTML coming from the server side.

Similar implementation in react eslint ruleset.

michalsnik · 2018-07-14T20:28:03Z

Released in v4.7.0 :) Thanks @n-zeplo !

n-zeplo mentioned this issue Mar 18, 2018

⭐️New: Add vue/no-v-html rule #435

Merged

michalsnik added new rule proposition accepted proposition labels Mar 22, 2018

michalsnik added work in progress and removed work in progress labels Jul 11, 2018

michalsnik closed this as completed Jul 14, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rule Proposal: `no-v-html` to prevent potential XSS attacks #434

Rule Proposal: `no-v-html` to prevent potential XSS attacks #434

n-zeplo commented Mar 16, 2018

michalsnik commented Jul 14, 2018

Rule Proposal: no-v-html to prevent potential XSS attacks #434

Rule Proposal: no-v-html to prevent potential XSS attacks #434

Comments

n-zeplo commented Mar 16, 2018

michalsnik commented Jul 14, 2018

Rule Proposal: `no-v-html` to prevent potential XSS attacks #434

Rule Proposal: `no-v-html` to prevent potential XSS attacks #434