From: edison <daiwei521@126.com>
Date: Wed, 24 Sep 2025 08:56:15 +0000 (+0800)
Subject: fix(runtime-vapor): setting innerHTML should go through trusted types (#13825)
X-Git-Tag: v3.6.0-alpha.3~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23bc91ca599ba206f3b0d7a5c24b4fa3436cf0f3;p=thirdparty%2Fvuejs%2Fcore.git

fix(runtime-vapor): setting innerHTML should go through trusted types (#13825)
---

diff --git a/packages/runtime-dom/src/index.ts b/packages/runtime-dom/src/index.ts
index b241458dba..64ba93e0e3 100644
--- a/packages/runtime-dom/src/index.ts
+++ b/packages/runtime-dom/src/index.ts
@@ -348,3 +348,7 @@ export {
   vModelSelectInit,
   vModelSetSelected,
 } from './directives/vModel'
+/**
+ * @internal
+ */
+export { unsafeToTrustedHTML } from './nodeOps'
diff --git a/packages/runtime-vapor/src/dom/prop.ts b/packages/runtime-vapor/src/dom/prop.ts
index 3b663da771..346bea53eb 100644
--- a/packages/runtime-vapor/src/dom/prop.ts
+++ b/packages/runtime-vapor/src/dom/prop.ts
@@ -14,6 +14,7 @@ import {
   mergeProps,
   patchStyle,
   shouldSetAsProp,
+  unsafeToTrustedHTML,
   warn,
 } from '@vue/runtime-dom'
 import {
@@ -197,7 +198,7 @@ export function setElementText(
 }
 
 export function setHtml(el: TargetElement, value: any): void {
-  value = value == null ? '' : value
+  value = value == null ? '' : unsafeToTrustedHTML(value)
   if (el.$html !== value) {
     el.innerHTML = el.$html = value
   }