-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe Injection of HTML #14
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The way the library works via
v-html
allows someone to inject arbitrary html if they can control the input string to linkify. An example is hereThe linkify notes on this are available here:
I'm not sure any code changes are necessary, but a disclaimer that only trusted strings should be passed in the Readme might be appropriate. Vue obviously makes this disclaimer in their documentation, but I think it is worth reiterating it in this project just because it is likely that users of this library would want to use it with untrusted strings of text.
The text was updated successfully, but these errors were encountered: