Additional improvements to escaping html in our Vue.js codebase #11269

jardakotesovec · 2025-04-14T10:40:15Z

jardakotesovec
Apr 14, 2025
Maintainer

Introduction

As first step, we already moved from v-html to v-strip-unsafe-html. Which is using dompurify to ensure, that no harmful JS can be injected there

In 3.6 I would like to refine the strategy further, because we still currently have many v-strip-unsafe-html, which are hidden in base components and developer using these components might not be aware of that he is passing data that might be rendered via v-strip-unsafe-html. Even though security is already covered. It still allows to introduce some html and make our UI looks funky, which is not great for perceived security. And it still allows to some degree to manipulate with our UI.

Differentiate between strings and html string in base components

I think its important to have possibility to explicitly opt-in for v-strip-unsafe-html in the place where the data are being passed.

Good example is our Dialog component, where its possible to pass message, which is than passed (hiddenly) to v-strip-unsafe-html.

Solution which I think could work quite well, is that if such general component is introducing option to receive html - it will have explicit props to do so.

For dialog I would suggest that we have: message and messageHtml, so the creator of the dialog can asses whether he needs html (maybe the translation contains some html tags) or not. Same pattern I believe could be applied to other components as well.

HTML in the translation arguments

Than we have use case, where we are passing arguments to the translations. In following scenario, we require html for the translation itself, but we don't want html for the argument (its not submission title, but the reviewer recommendation title):

msgid "manager.reviewerRecommendations.confirmDeactivate"
msgstr "Are you sure you want to deactivate the recommendation <b>{$title}</b>"

For that I would like to adjust our translation function t to escape arguments by default and introducing new option to allow html for specific field:

So when using this in dialog, where we don't want to allow html tags in the title, it would be just

openDialog({
  messageHtml: t('manager.reviewerRecommendations.confirmDeactivate', {title: recommendationTitle})
}

But if its submission title where we do allow html, we could explicitly escaping for the title argument like this:

openDialog({
  messageHtml: t('manager.reviewerRecommendations.confirmDeactivate', {title: suggestionTitle}, {allowHtmlForPlaceholders: ['title']})
}

jonasraoni · 2025-04-14T14:07:08Z

jonasraoni
Apr 14, 2025
Collaborator

I see escaping by default as a requirement :)

Extra property to specify HTML content
Using an extra property (xxxHtml) is a common approach, so nothing against it, another alternative would be an allowHtml.

Extra argument for the t()
Also nothing against this one, you can also introduce an extra attribute like allowHtml (defaults to false), for the translation as a whole.

Both are breaking changes, but at this moment, there might be very few people making use of the Vue components, so it's definitely ok to introduce them in my opinion.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Additional improvements to escaping html in our Vue.js codebase #11269

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Additional improvements to escaping html in our Vue.js codebase #11269

Uh oh!

Uh oh!

jardakotesovec Apr 14, 2025 Maintainer

Introduction

Differentiate between strings and html string in base components

HTML in the translation arguments

Replies: 1 comment

Uh oh!

Uh oh!

jonasraoni Apr 14, 2025 Collaborator

jardakotesovec
Apr 14, 2025
Maintainer

jonasraoni
Apr 14, 2025
Collaborator