XSS attack

[Matx99]

Hello,

Am I safe using bootstrap-vue concerning XSS atacks?

https://github.com/bootstrap-vue/bootstrap-vue/search?q=v-html shows bootstrap uses v-html but is that a problem?
Is it a problem only if I use bootstrap components who use v-html or is it a problem even if I don't use one?

Finally, is using {{ myContent }} fixing the issue if I use a bootstrap-vue component who use v-html itself?

Thank you

[darrinmn9]

If you look in the component reference doc sections, it says

Caution: Props that support HTML strings (*-html) can be vulnerable to Cross Site Scripting (XSS) attacks when passed raw user supplied values. You must properly sanitize the user input first!

Yes, {{ }} Is safe from xss as it will not render as html

[VividLemon]

Why are you concerning yourself with the usage of v-html in the docs?

Few elements have the ability to use an html prop. Each instance has a heavy note about their usage https://bootstrap-vue.org/docs/components/carousel#props . Unless there is a serious security issue with bootstrap-vue, the duty to have a secure app falls on the implementer.