JS-0693 · Use interpolation expressions instead of the `v-html` attribute

Use interpolation expressions instead of the v-html attribute JS-0693

Security

Major

8 months ago — 8 months old

'v-html' directive can lead to XSS attack

javascript/packages/demo-vue/src/components/Header.vue

 8    @click="functionCall"
 9    v-bind:foo="'bar'"
10    :class="[{ 'foo': isFoo }, { 'bar': isBar }]"
11    v-html="someHTML"12  >
13    <div v-for="item in navItems">{{item.name}}</div>
14  </div>

Description

It is recommended to use interpolation expressions instead of using v-html as it prevents injection attacks like XSS.

Injecting HTML is a feature available to any front-end framework and used by websites when the server renders HTML. Using interpolation expressions is recommended as expression here gets stringified instead of getting executed, unlike in v-html

Bad Practice

<div v-html="someHTML"></div>

deepsourcestatus / test-repository

Bad Practice

Recommended

References