Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Vuejs: V-HTML data binding of html data against eslint rule

Tags:

javascript

html

data-binding

eslint

vue.js

I am using the following method to bind html and display in my page. It is working perfectly, however i receive a warning from my eslint that 'v-html' directive can lead to XSS attack.eslint(vue/no-v-html)

  <button
        id="foreignerBtn"
        class="tabButton"
        @click="foreignerClick"
        v-html="textContent2"
      ></button>

Then i change it following method. But i not able to render html tag. 

 <button
            id="foreignerBtn"
            class="tabButton"
            @click="foreignerClick"
          >{{ textContent2 }}</button>
like image 805
Chan Yoong Hon Avatar asked Dec 10 '22 00:12

Chan Yoong Hon

2 Answers

As Decade Moon mentions you can disable the rule if the content passed to v-html is sanitized HTML.

https://eslint.vuejs.org/rules/no-v-html.html

Disable the rule by wrapping the html in

<!-- eslint-disable vue/no-v-html -->
<button
        id="foreignerBtn"
        class="tabButton"
        @click="foreignerClick"
        v-html="textContent2"
      ></button>
<!--eslint-enable-->
like image 93
Birger Püschl Avatar answered Dec 22 '22 01:12

Birger Püschl

As stated in the other answer, you can disable the warning but a good practice is to make sure the rule is rightfully disabled.

To do so, you can use dompurify that will parse the HTML you are giving to the browser, remove any malicious part and display it safely.

The issue is still there but you can use RisXSS which is an ESLint plugin that will warn the uses of v-html if you do not sanitize it before (in a sense, this is an improved version of vue/no-v-html ESLint rule).

To do so, install dompurify and eslint-plugin-risxss:

npm install dompurify eslint-plugin-risxss

Add risxss to your ESLint plugins then use DOMPurify:

<template>
    <button
        id="foreignerBtn"
        class="tabButton"
        @click="foreignerClick"
        v-html="sanitizedTextContent2"
        <!-- no warning, good to go -->
    ></button>
    <button
        id="foreignerBtn"
        class="tabButton"
        @click="foreignerClick"
        v-html="textContent2"
        <!-- warning here -->
    ></button>
</template>
<script>
import DOMPurify from 'dompurify';

export default {
    data () {
    return {
        sanitizedTextContent2: DOMPurify.sanitize(textContent2)
    }
    }
}
</script>

Disclaimer: I am a contributor of RisXSS plugin.

like image 33
clementescolano Avatar answered Dec 21 '22 23:12

clementescolano
Sign in to Comment

Related questions

debugging next.js with vscode debugger
How to get value of bootstrap switch
React redux connect rendering optimisation
Why lodash .isNumber function is more complicated than typeof value == 'number'
ReactJS and autofocus
How to send JSON array through graphQL and AWS AppSync to add data to Dynamo Table?
Unable to create a new project with the Nest CLI
Problem with nested fetch request in React
How to register component in vue+ts correctly?
I can't open Cypress on Mac: Cypress not found
JS - Safari on iOS - How to get viewport scale property
How to dynamically change a function's name
How to detect an application in the kill app on react native?
What is the replacement for performance.navigation.type in angular?
Merge objects with same id in array
Recursive function prints correct final result inside the loop but then is undefined outside
Error: Type '{}' is missing the following properties from type
Dynamically detect if position:sticky is supported by the browser
What is the difference between CPU intensive and I/O intensive?
vue-btn doesn't submit on enter key

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!