JS.VUE.NO.V.HTML

Disallow use of v-html to prevent XSS attack

Rule Details

This rule reports all uses of v-html directive in order to reduce the risk of injecting potentially unsafe / unescaped html into the browser leading to Cross-Site Scripting (XSS) attacks.

{'vue/no-v-html': ['error']}

Copy 
<template>
  <!-- GOOD -->
  <div>{{ someHTML }}</div>

  <!-- BAD -->
  <div v-html="someHTML"></div>
</template>

Options

Nothing.

When Not To Use It

If you are certain the content passed to v-html is sanitized HTML you can disable this rule.

Further Reading

  • XSS in Vue.js (https://blog.sqreen.io/xss-in-vue-js/)

The content on this page is adapted from the ESLint User Guide. Copyright © OpenJS Foundation and other contributors, www.openjsf.org. All rights reserved. https://eslint.org/docs/rules/