javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html
semgrep
Author
2,585
Download Count*
License
Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-v-html
message: Dynamically rendering arbitrary HTML on your website can be very
dangerous because it can easily lead to XSS vulnerabilities. Only use HTML
interpolation on trusted content and never on user-provided content.
metadata:
references:
- https://vuejs.org/v2/guide/syntax.html#Raw-HTML
category: security
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
technology:
- vue
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- regex
severity: WARNING
paths:
include:
- "*.vue"
pattern-regex: <[^<>]*v-html=
Examples
avoid-v-html.vue
<div>
<!-- ruleid: avoid-v-html -->
<span dir="auto" class="markdown" v-html="entry.post"></span>
<!-- ok: avoid-v-html -->
<span dir="auto" class="markdown">{{entry.post}}</span>
</div>
Short Link: https://sg.run/0QEw