Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsafe Injection of HTML #14

Open
lsnow99 opened this issue Apr 15, 2021 · 0 comments
Open

Unsafe Injection of HTML #14

lsnow99 opened this issue Apr 15, 2021 · 0 comments

Comments

@lsnow99
Copy link

lsnow99 commented Apr 15, 2021

The way the library works via v-html allows someone to inject arbitrary html if they can control the input string to linkify. An example is here

The linkify notes on this are available here:

I'm not sure any code changes are necessary, but a disclaimer that only trusted strings should be passed in the Readme might be appropriate. Vue obviously makes this disclaimer in their documentation, but I think it is worth reiterating it in this project just because it is likely that users of this library would want to use it with untrusted strings of text.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant