You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"summary": "vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes",
10
+
"details": "### Summary\nThe escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.\n\nThis may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.\n\n### Details\n\nWhen escapeParameterHtml: true is enabled, it correctly escapes common injection points.\n\nHowever, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:\n\n`<img src=x onerror=alert(1)>\n`\n### PoC\nIn your Vue I18n configuration:\n\n```\nconst i18n = createI18n({\n escapeParameterHtml: true,\n messages: {\n en: {\n vulnerable: 'Caution: <img src=x onerror=\"{payload}\">'\n }\n }\n});\n```\nUse this interpolated payload:\n\n`const payload = '<script>alert(\"xss\")</script>';`\nRender the translation using v-html (even not using v-html):\n\n`<p v-html=\"$t('vulnerable', { payload })\"></p>\n`\nExpected: escaped content should render as text, not execute.\n\nActual: script executes in some environments (or the payload is partially parsed as HTML).\n\n### Impact\n\nThis creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .",
0 commit comments