Vue's v-html directive, why xss didn't take effect

the front and rear ends do not transcode. The background returns the string of < script > xxx < / script >, and the front end renders the text directly with v-html. However, it neither renders the text like v-text nor executes the methods in the script. The simple demo is as follows:

the code is as follows: 

<template>
    <div v-html="msg">
        
    </div>
</template>

<script>    
    export default {
        data() {
            return {
                msg: "message"
            }
        },
        mounted() {
            this.msg = ":<script>console.log(1)<\/script>"; //
            var script = document.createElement("script");
            script.innerHTML = "console.log(2)";
            this.$el.parentElement.appendChild(script); // 2
        }
    }
</script>
Vue.js xss
Mar.16,2022

https: / / developer.mozilla.org.

although this looks like a cross-site scripting attack, the result is nothing. HTML 5 specifies that the < script > tag inserted by innerHTML is not executed.

Previous: How to set Wechat floating window icon?

Next: Js array traversal

css mysql arrays josn react html typescript webpack npm sass R objective-c .net sql-server jquery python-3.x angularjs django angular excel regex iphone ajax linux xml pandas vba spring database wordpress string wpf xcode windows bash postgresql oracle multithreading eclipse list firebase algorithm macos forms image scala visual-studio azure bootstrap spring-boot react-native python-2.7 docker performance function winforms matlab powershell apache dataframe api sqlite numpy rest shell selenium flutter dart maven loops qt swing android-studio csv express file class tensorflow sorting codeigniter perl
© 2021 CodesHelper
Advertising Contact us About us
Menu