From: Evan You Date: Wed, 12 Feb 2020 20:00:32 +0000 (-0500) Subject: refactor(security): mark potential unsafe code paths X-Git-Tag: v3.0.0-alpha.5~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e19424c045235e8b2b6374b9ea15e4b270be9cd;p=thirdparty%2Fvuejs%2Fcore.git refactor(security): mark potential unsafe code paths --- diff --git a/packages/runtime-dom/src/modules/props.ts b/packages/runtime-dom/src/modules/props.ts index e723e2c8bd..911d6215dc 100644 --- a/packages/runtime-dom/src/modules/props.ts +++ b/packages/runtime-dom/src/modules/props.ts @@ -1,3 +1,7 @@ +// __UNSAFE__ +// Reason: potentially setting innerHTML. +// This can come from explicit usage of v-html or innerHTML as a prop in render +// functions. The user is reponsible for using them with only trusted content. export function patchDOMProp( el: any, key: string, diff --git a/packages/runtime-dom/src/nodeOps.ts b/packages/runtime-dom/src/nodeOps.ts index d47803bafd..6c981cd383 100644 --- a/packages/runtime-dom/src/nodeOps.ts +++ b/packages/runtime-dom/src/nodeOps.ts @@ -51,6 +51,10 @@ export const nodeOps: Omit, 'patchProp'> = { return el.cloneNode(true) }, + // __UNSAFE__ + // Reason: innerHTML. + // Static content here can only come from compiled templates. + // As long as the user only uses trusted templates, this is safe. insertStaticContent(content, parent, anchor, isSVG) { const temp = isSVG ? tempSVGContainer || diff --git a/packages/vue/src/index.ts b/packages/vue/src/index.ts index 2cc408889a..085a5b34c2 100644 --- a/packages/vue/src/index.ts +++ b/packages/vue/src/index.ts @@ -31,6 +31,10 @@ function compileToFunction( if (__DEV__ && !el) { warn(`Template element not found or is empty: ${template}`) } + // __UNSAFE__ + // Reason: potential execution of JS expressions in in-DOM template. + // The user must make sure the in-DOM template is trusted. If it's rendered + // by the server, the template should not contain any user data. template = el ? el.innerHTML : `` }