The output of v-html directive is incorrect in case the <> of a tag are serialized
chicong065 opened this issue · 1 comments
chicong065 commented
Version
2.6.10
Reproduction link
Steps to reproduce
1/ Please add this string as content of v-html: <div><script>alert('abc')</script></div>
.
2/ Inspect the section above, you'll see the script tag is rendered as html element, not a string.
What is expected?
This part <script>alert('abc')</script>
will be rendered as a string, not html tag.
What is actually happening?
This part <script>alert('abc')</script>
is rendered as a html tag, not a string.
posva commented
This is because you are putting it directly in the HTML so the escaped characters get unscaped (not Vue BTW). In practive the value should be in a js variable, in which case you will see the behavior you want.