Skip to content

security: replace v-html with safe directive to prevent XSS #847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
serdfxe wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security: replace v-html with safe directive to prevent XSS #847

serdfxe wants to merge 1 commit into from

Conversation

@serdfxe
Copy link

@serdfxe serdfxe commented Dec 1, 2025

Summary

Replaces unsafe v-html usage with a sanitized v-safe-html directive to prevent XSS vulnerabilities.

Problem

Several components use v-html to render content, which could execute malicious scripts if the content contains user-controlled input. This creates XSS vulnerabilities.

Solution

  1. Added DOMPurify dependency for HTML sanitization
  2. Created a global Vue directive v-safe-html that sanitizes HTML before rendering
  3. Replaced all instances of v-html with v-safe-html

Testing

  • Application functionality preserved (syntax highlighting, plan trees)
  • Build succeeds (npm run build)
  • Linting passes (npm run lint)

@pgiraud
Copy link
Member

pgiraud commented Dec 1, 2025

Thanks for this contribution.

Given what's written in VueJS documentation, it is possible to use v-html safely when we know the HTML to render is safe. In my opinion, this is the case in pev2. All the HTML content used for v-html correspond to values created internally in PEV2, not directly from user input.

Unless I'm wrong, there's no possible XSS attack. If you see any, please provide an example of a plan, query or title that could be harmful.

@serdfxe
Copy link
Author

serdfxe commented Dec 12, 2025
edited
Loading

Thanks for reviewing this!

I discovered this issue while integrating PEV2 into a production environment at a big tech company. Our security audit flagged the v-html usage as an XSS vulnerability.

Concrete example of the vulnerability:

When a user submits input like:

<img src="x" onerror="alert(localStorage.getItem('secret_token'))" />

The generated HTML contains unsanitized user input which gets executed via v-html.

Real-world risk:

The vulnerability becomes critical in public-facing deployments (similar to services like explain.tensor.ru). An attacker could craft a malicious SQL query with XSS payload and share the link. When another user views it, the XSS executes in their browser, potentially stealing session cookies or sensitive data from query plans.

Impact on project adoption:

For an opensource project, having known XSS vulnerabilities in the codebase makes it:

  • Harder to adopt in enterprise environments (security audits will block it)
  • Riskier to integrate into larger applications

My PR adds defense in depth with DOMPurify, which is a security best practice for handling HTML rendering when user input is involved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@serdfxe @pgiraud