From 8e19424c045235e8b2b6374b9ea15e4b270be9cd Mon Sep 17 00:00:00 2001 From: Evan You Date: Wed, 12 Feb 2020 15:00:32 -0500 Subject: [PATCH] refactor(security): mark potential unsafe code paths --- packages/runtime-dom/src/modules/props.ts | 4 ++++ packages/runtime-dom/src/nodeOps.ts | 4 ++++ packages/vue/src/index.ts | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/packages/runtime-dom/src/modules/props.ts b/packages/runtime-dom/src/modules/props.ts index e723e2c8..911d6215 100644 --- a/packages/runtime-dom/src/modules/props.ts +++ b/packages/runtime-dom/src/modules/props.ts @@ -1,3 +1,7 @@ +// __UNSAFE__ +// Reason: potentially setting innerHTML. +// This can come from explicit usage of v-html or innerHTML as a prop in render +// functions. The user is reponsible for using them with only trusted content. export function patchDOMProp( el: any, key: string, diff --git a/packages/runtime-dom/src/nodeOps.ts b/packages/runtime-dom/src/nodeOps.ts index d47803ba..6c981cd3 100644 --- a/packages/runtime-dom/src/nodeOps.ts +++ b/packages/runtime-dom/src/nodeOps.ts @@ -51,6 +51,10 @@ export const nodeOps: Omit, 'patchProp'> = { return el.cloneNode(true) }, + // __UNSAFE__ + // Reason: innerHTML. + // Static content here can only come from compiled templates. + // As long as the user only uses trusted templates, this is safe. insertStaticContent(content, parent, anchor, isSVG) { const temp = isSVG ? tempSVGContainer || diff --git a/packages/vue/src/index.ts b/packages/vue/src/index.ts index 2cc40888..085a5b34 100644 --- a/packages/vue/src/index.ts +++ b/packages/vue/src/index.ts @@ -31,6 +31,10 @@ function compileToFunction( if (__DEV__ && !el) { warn(`Template element not found or is empty: ${template}`) } + // __UNSAFE__ + // Reason: potential execution of JS expressions in in-DOM template. + // The user must make sure the in-DOM template is trusted. If it's rendered + // by the server, the template should not contain any user data. template = el ? el.innerHTML : `` }