refactor(security): mark potential unsafe code paths

diff --git a/packages/runtime-dom/src/modules/props.ts b/packages/runtime-dom/src/modules/props.ts
index e723e2c8bdc7f4c38b1d4e0e0f6c5f10613d2dfe..911d6215dce1595a303a984f0742d6d21d4275b0 100644 (file)
--- a/packages/runtime-dom/src/modules/props.ts
+++ b/packages/runtime-dom/src/modules/props.ts
@@ -1,3 +1,7 @@
+// __UNSAFE__
+// Reason: potentially setting innerHTML.
+// This can come from explicit usage of v-html or innerHTML as a prop in render
+// functions. The user is reponsible for using them with only trusted content.
 export function patchDOMProp(
   el: any,
   key: string,

diff --git a/packages/runtime-dom/src/nodeOps.ts b/packages/runtime-dom/src/nodeOps.ts
index d47803bafdf6bb7ee8d817345ac3b622ca35aef6..6c981cd383cecbbde1d21d971e31da484c07a386 100644 (file)
--- a/packages/runtime-dom/src/nodeOps.ts
+++ b/packages/runtime-dom/src/nodeOps.ts
@@ -51,6 +51,10 @@ export const nodeOps: Omit<RendererOptions<Node, Element>, 'patchProp'> = {
     return el.cloneNode(true)
   },
 
+  // __UNSAFE__
+  // Reason: innerHTML.
+  // Static content here can only come from compiled templates.
+  // As long as the user only uses trusted templates, this is safe.
   insertStaticContent(content, parent, anchor, isSVG) {
     const temp = isSVG
       ? tempSVGContainer ||

diff --git a/packages/vue/src/index.ts b/packages/vue/src/index.ts
index 2cc408889a0deaff870e57fbd9c19a20c03332ad..085a5b34c2da3b94e0ab5f97817cff045f8152dc 100644 (file)
--- a/packages/vue/src/index.ts
+++ b/packages/vue/src/index.ts
@@ -31,6 +31,10 @@ function compileToFunction(
     if (__DEV__ && !el) {
       warn(`Template element not found or is empty: ${template}`)
     }
+    // __UNSAFE__
+    // Reason: potential execution of JS expressions in in-DOM template.
+    // The user must make sure the in-DOM template is trusted. If it's rendered
+    // by the server, the template should not contain any user data.
     template = el ? el.innerHTML : ``
   }