Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Template escape using function constructor

See original GitHub issue

Here is the escape

<p>Hello, {{ this.constructor.constructor('alert("oops")')`` }}</p>

Vue.js version

1.0.26

Reproduction Link

http://jsfiddle.net/yvt7eckL/1/

Steps to reproduce

Open the jsfiddle

What is Expected?

No alert boxes

What is actually happening?

Alert box pops up

Issue Analytics

State:
Created 7 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

bahmutovcommented, Sep 3, 2016

The solution that vue and any other framework should put as a big disclaimer is for users to set strict content security policy and disallow inline scripts.

Sent from my iPhone

On Sep 3, 2016, at 00:39, 宋铄运 notifications@github.com wrote:

Hmm… It’s true that one may use template engines + vue and create security loopholes, but I doubt if there’s much to be done at vue’s end (without great efforts), but PRs are always welcome 😄.

In my opinion this should be solved by a framework-agnostic tool or plugin for these template engines, and it should be recommended (or even enforced) for anyone who uses them with vue (or ng or whatever front-end framework).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

0reactions

yyx990803commented, Sep 5, 2016

This has been discussed long ago - the issue here is that the moment you use Vue or any other client side framework to compile a template potentially generated by a malicious 3rd party, you are already busted. There are simply too many ways to get around the system when you need to evaluate arbitrary content - all XSS loopholes apply, and it is simply impractical for the framework to take on that responsibility for the user.

In practice, the simple rule is you should always be able to trust the template you pass to Vue. That’s it.

I do agree we should make this more prominent in the docs though.

Top Results From Across the Web

Template literals (Template strings) - JavaScript | MDN

To escape a backtick in a template literal, put a backslash ( \ ) before the backtick. Dollar signs can be escaped as...

Error when trying to replace constructor variab [duplicate]

I'm trying to create a clock Class with infinite loop upon start function , by using explicitly declared variable for temp , it...

DOM based AngularJS sandbox escapes - PortSwigger

Value will contain a reference to the Function constructor which he sends to the generic call method's first argument. The second argument doesn ......

JavaScript: Template String - Xah Lee

String can also be created by bracketing text with ` (U+60: GRAVE ACCENT) This ... escape grave mark in template string console.log( `a\`b`...

CoffeeScript

As with functions and other block expressions, multi-line conditionals are delimited by indentation. There's also a handy postfix form, with the if or ......