The output of v-html directive is incorrect in case the <> of a tag are serialized

Question

The output of v-html directive is incorrect in case the <> of a tag are serialized

chicong065 opened this issue 10 months ago · 1 comments

chicong065 commented 10 months ago

Version

2.6.10

Reproduction link

play.vuejs.org/

Steps to reproduce

1/ Please add this string as content of v-html: <div><script>alert('abc')</script></div>.

2/ Inspect the section above, you'll see the script tag is rendered as html element, not a string.

What is expected?

This part <script>alert('abc')</script> will be rendered as a string, not html tag.

What is actually happening?

This part <script>alert('abc')</script> is rendered as a html tag, not a string.

Answer 1 · 2023-07-27T11:51:55.000Z

This is because you are putting it directly in the HTML so the escaped characters get unscaped (not Vue BTW). In practive the value should be in a js variable, in which case you will see the behavior you want.