Level 122
You need to put three backticks ``` before and after the code block in order for html to show up in the forum
Sep 12, 2017
7
Level 4
Vue interpolation
When you have a user content which includes double curly brakets {{ }} in blade files, it will compile it by Vue.
So, what I mean by that is if users' input is like this my input is {{ alert('hello xss vulnabilities') }} it will alert in blade files. If you don't trust me try it, but you need to run npm run production since the command remove a debug tool.
public function index () {
$text = 'hello {{ xss vulnabilities }}';
return view('welcome', compact('text'));
}
// the screen will go blank if your js file is not minified but it will alert when minified
in blade
<h1>{{ $text }}</h1>
Yes we can use v-pre on every tag where you show your users' contents to tell Vue to not compile it but it is very tiring isn't it?
How do you guys go about fixing this?
Level 4
I made a middleware to remove curly brackets, but don't know if this is a better way to do this
Level 122
I don't understand the issue?
Level 29
in Blade you need to escape the curly braces.
Give this a try
public function index () {
$text = 'hello @{{ xss vulnabilities }}';
return view('welcome', compact('text'));
}
// the screen will go blank if your js file is not minified but it will alert when minified
in blade
<h1>{{ $text }}</h1>
Level 4
That's just an example. I don't have control what users would type
Level 20
<h1>@{{ $text }}</h1> or
@verbatim
<h1>{{ $text }}</h1>
@endverbatim
Level 20
Old thread, but this topic came up again just recently: https://medium.com/@taylorotwell/js-frameworks-server-side-rendering-and-xss-722805009892
This npm package disables interpolation and fixes the Vue problem with curly brackets: https://www.npmjs.com/package/vue-disable-interpolation
Please or to participate in this conversation.