0👍
Yes it is really that dangerous.
Consider what happens when I create the post.
Hi I'm Dave this is my <script>alert('pwned,' + document.cookie)</script> post!
I can now run arbitrary JS code on your website and steal login info for every user you serve this code too.
I’m not super familiar with vue in particular but most frameworks have an easy way to output sanitized html. I think this is {{ itme.plot }} in vue. This will not render an actual (or any other tag) but an escaped version <script> which the browser will not interpret as actual code.
There are a million other way to do XSS if you let me inject my own HTML in your website.
- [Vuejs]-Vue3 graphql composition api dynamic router not working
- [Vuejs]-Vue 3 – differences between reactive value return – toRef and computed
Source:stackexchange.com