Replace uses of v-html with more security-conscious alternatives
We have a few places where we use the v-html
directive to render HTML strings. The standard vue eslint rules yield warnings for the use of v-html
which is a reasonable default, but we could make it an error to make sure, that we don’t introduce XSS bugs by accident.
Most of our v-html
uses are related to translations which could be handled through component interpolation if we were to use the popular vue-i18n library. Other uses, like for markdown rendering, should be encapsulated as a separate component or directive, that makes sure that any XSS-related tags or attributes are stripped from the input.