XSS prevention: rendering unescaped HTML `useHeadRaw`

Question

XSS prevention: rendering unescaped HTML `useHeadRaw`

Closed this issue 2 years ago · 2 comments

Problem

The only way to render child DOM node content is with children which sets the textContent of an element.

Users want a way to set the innerHTML of an element, related: #84, #51

They also want to render props without escaping, related: #59, #46

There are some security implications here, if we support this and users are filling useHead directly from an external source, then it's possible that they would be open to XSS.

Proposed Solution

To mitigate against this while still providing a nice DX, it may be required to create a new function useHeadRaw, which would mark all input as raw, meaning it won't be sanitised.

We can also introduce useHeadRaw specific attributes, such as on for htmlAttr and bodyAttr, allowing a user to provide events to be ran, related #47

Answer 1 · 2022-09-19T05:36:44.000Z

@antfu Do you have any thoughts on this? Will work on a PR for it soon

Answer 2 · 2022-10-05T00:39:29.000Z

This is released in 0.9.x