HighFile-scopeJavaScript / TypeScript Plug & play

Disabling Vue.js built-in escaping is security-sensitive

Avoid using directives or features that bypass Vue's built-in HTML escaping mechanisms, such as the `v-html` directive, unless the content is known to be safe or has been properly sanitized.

Add to Mesrai Open workspace

Why this matters

Vue automatically escapes dynamic content bound using `{{ }}` syntax to prevent Cross-Site Scripting (XSS) attacks. Using `v-html` renders raw HTML, potentially executing malicious scripts if the content originates from untrusted user input. Disabling this safety feature creates a significant security vulnerability.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<template>
  
  <div v-html="userGeneratedContent"></div>
</template>

Prefer

<template>
  
  <div>{{ userGeneratedContent }}</div>

  
  <div v-html="sanitizedHtmlContent"></div> 
</template>

<script>
import DOMPurify from 'dompurify';

export default {
  props: ['userGeneratedContent'],
  computed: {
    sanitizedHtmlContent() {
      // Example: Sanitize before rendering with v-html
      return DOMPurify.sanitize(this.userGeneratedContent);
    }
  }
}
</script>

More snippets

Bad

<div v-html="userInput"></div>

Good

<div>{{ userInput }}</div>

Good

<div v-html="sanitizedInput"></div>

Related rules

From the same buckets as this rule.

Critical
Always sanitize user inputs
Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.
security-hardening
Critical
Always Verify Server Certificates in SSL/TLS Connections
Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.
security-hardening
Critical
Avoid modifying built-in prototypes
Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.
maintainabilitysecurity-hardening

Why this matters

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<template>
  
  <div v-html="userGeneratedContent"></div>
</template>

Prefer

<template>
  
  <div>{{ userGeneratedContent }}</div>

  
  <div v-html="sanitizedHtmlContent"></div> 
</template>

<script>
import DOMPurify from 'dompurify';

export default {
  props: ['userGeneratedContent'],
  computed: {
    sanitizedHtmlContent() {
      // Example: Sanitize before rendering with v-html
      return DOMPurify.sanitize(this.userGeneratedContent);
    }
  }
}
</script>

More snippets

Bad

<div v-html="userInput"></div>

Good

<div>{{ userInput }}</div>

Good

<div v-html="sanitizedInput"></div>

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening