fix(runtime-vapor): setting innerHTML should go through trusted types (#13825)

diff --git a/packages/runtime-dom/src/index.ts b/packages/runtime-dom/src/index.ts
index b241458dba798cc31280d7b2f9fd981de42f979d..64ba93e0e3e98e8d86b2d6d080d4a0e3a0c3afcb 100644 (file)
--- a/packages/runtime-dom/src/index.ts
+++ b/packages/runtime-dom/src/index.ts
@@ -348,3 +348,7 @@ export {
   vModelSelectInit,
   vModelSetSelected,
 } from './directives/vModel'
+/**
+ * @internal
+ */
+export { unsafeToTrustedHTML } from './nodeOps'

diff --git a/packages/runtime-vapor/src/dom/prop.ts b/packages/runtime-vapor/src/dom/prop.ts
index 3b663da77153ed360b80fd087171944fa8a9cb69..346bea53eb16659eaea357db91a26bbef4e6cae8 100644 (file)
--- a/packages/runtime-vapor/src/dom/prop.ts
+++ b/packages/runtime-vapor/src/dom/prop.ts
@@ -14,6 +14,7 @@ import {
   mergeProps,
   patchStyle,
   shouldSetAsProp,
+  unsafeToTrustedHTML,
   warn,
 } from '@vue/runtime-dom'
 import {
@@ -197,7 +198,7 @@ export function setElementText(
 }
 
 export function setHtml(el: TargetElement, value: any): void {
-  value = value == null ? '' : value
+  value = value == null ? '' : unsafeToTrustedHTML(value)
   if (el.$html !== value) {
     el.innerHTML = el.$html = value
   }