Help me understand: Which way around

dotboris / vuejs-serverside-template-xss

Demo of a Vue.js app that mixes both clientside templates and serverside templates leading to an XSS vulnerability

MIT License

300 stars 22 forks source link

Help me understand: Which way around #3

Open maxnoe opened 6 years ago

maxnoe commented 6 years ago

Just to get it clear for me: The issue is only happening, when rendering user input serverside, correct?

Users can inject vue templates into stuff that is rendered server side, the other way around is not possible?

Because injecting a template into

<div>{{ some_user_input }}</div>

does not work

b12f commented 6 years ago

Correct. For example, with vue this is a problem if you use inline-templates or x-templates that are partially rendered server side, before being used as templates client side.

ctf0 commented 6 years ago

@b12f should v-pre be added to each laravel controlled div ?

ghost commented 6 years ago

@ctf0 only those returning user input within a piece of page parsed by vuejs.