javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html

profile photo of semgrepsemgrep
Author
2,585
Download Count*
LGPL Commons Clause
License

Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid-v-html
    message: Dynamically rendering arbitrary HTML on your website can be very
      dangerous because it can easily lead to XSS vulnerabilities. Only use HTML
      interpolation on trusted content and never on user-provided content.
    metadata:
      references:
        - https://vuejs.org/v2/guide/syntax.html#Raw-HTML
      category: security
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      technology:
        - vue
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cross-Site-Scripting (XSS)
    languages:
      - regex
    severity: WARNING
    paths:
      include:
        - "*.vue"
    pattern-regex: <[^<>]*v-html=

Examples

avoid-v-html.vue

<div>
  <!-- ruleid: avoid-v-html -->
  <span dir="auto" class="markdown" v-html="entry.post"></span>
  <!-- ok: avoid-v-html -->
  <span dir="auto" class="markdown">{{entry.post}}</span>
</div>