refactor(security): mark potential unsafe code paths

packages/runtime-dom/src/modules/props.ts

@@ -1,3 +1,7 @@
+// __UNSAFE__
+// Reason: potentially setting innerHTML.
+// This can come from explicit usage of v-html or innerHTML as a prop in render
+// functions. The user is reponsible for using them with only trusted content.
 export function patchDOMProp(
   el: any,
   key: string,

packages/runtime-dom/src/nodeOps.ts

@@ -51,6 +51,10 @@ export const nodeOps: Omit<RendererOptions<Node, Element>, 'patchProp'> = {
     return el.cloneNode(true)
   },
 
+  // __UNSAFE__
+  // Reason: innerHTML.
+  // Static content here can only come from compiled templates.
+  // As long as the user only uses trusted templates, this is safe.
   insertStaticContent(content, parent, anchor, isSVG) {
     const temp = isSVG
       ? tempSVGContainer ||

packages/vue/src/index.ts

@@ -31,6 +31,10 @@ function compileToFunction(
     if (__DEV__ && !el) {
       warn(`Template element not found or is empty: ${template}`)
     }
+    // __UNSAFE__
+    // Reason: potential execution of JS expressions in in-DOM template.
+    // The user must make sure the in-DOM template is trusted. If it's rendered
+    // by the server, the template should not contain any user data.
     template = el ? el.innerHTML : ``
   }