Sanitize Vue.js scripts

[gmarzaloni-onit]

Hello, HtmlSanitizer is not sanitize this example Vue.js script code:

{{$on.constructor('alert(1)')()}}

This code, placed for example in a OPTION item, creates a XSS vulnerability on the page.

<select>
  <option value="1">Item 1 {{$on.constructor(&#x27;alert(1)&#x27;)()}}</option>
  <option value="2">Item 2</option>
</select>

On load, the page shows the modal alert.

[mganss]

This scenario is out of scope as we only deal with HTML, not specific frameworks that have their own syntax. That said, the upcoming change in #511 would probably allow you to handle this use case. In the current version you can probably use the PostProcessNode event to enable this use case.