Clarification

[yyx990803]

Hello, I know this is relatively old, but this repo is being used by some "security researchers" as an evidence of Vue being "insecure" when the vulnerability itself actually isn't a Vue-induced problem.

For the injection to work, this repro is directly inlining unsanitized user input in raw HTML. This practice itself already allows any attacker to inject anything they want without any JavaScript framework being involved. Since the HTML will be evaluated before Vue even gets to process it, the vulnerability is fundamentally caused by the practice of rendering unsanitized HTML (which any competent dev should know to avoid), not by using Vue.

Vue docs also explicitly discourages users from doing this - related info: https://vuejs.org/guide/best-practices/security.html#rule-no-1-never-use-non-trusted-templates

This repo can still serve as an example of what not to do - but please include the above clarification in the README.

[azu]

Yes. This repoducution is not Vue issue.

This repo is a parts of my slide about Client/Server-side template injection attacks in Japanese.

• クライアントサイドからサーバサイドまで破壊するテンプレートエンジンを利用した攻撃と対策
• slide/template-engine-security.md at gh-pages · azu/slide · GitHub

If I remember correctly, I found a similar problem on several sites, so I had created a site (this repository) that reproduced it.
Typical HTML escaping process does not escape {{ or }}. Therefore, this would have been an example of XSS caused by being able to Inject template notation. This is called client/server side template injection.
The slides conveyed the danger of valuing user input as a template.

I can't think of an appropriate phrase to include in the README, so I'll include a link to this Issue in the README.
(PRs to improve README are welcome)

[kioxhiro]

[kioxhiro]

t8n0ad9a6g%2527%2522`'"/t8n0ad9a6g/><t8n0ad9a6g/>uacbmslo4g&