useHead script `children` vulnerable to XSS about head HOT 4 CLOSED

To give context, you are providing a string to the children of script, which accepts raw scripts.

The primary use case for doing this, is to insert application scripts within the head, so raw scripts are allowed by default.

There are many ways you can solve this on your end:

• use @vueuse/schema-org
• build the schema object as an object then create the string using JSON.stringify
• provide the children as an object (it will be encoded for you automatically)
• just sanitise the user input when you make the string

There isn't too much this package can do to avoid you from introducing XSS vulnerabilities into your app if you really want.

I will consider the following though:

• if the script type is application/json we can sanitise the input to be JSON
• introduce useHeadSafe to provide a bulletproof way to avoid XSS

Both of these don't fix the "XSS", it's on the dev not to do silly things with user input

from head.

+1

from head.

Since @harlan-zw gave us this idea, I'm sure this issue is no longer a problem, but I'll share this issue's reproduction now,
https://stackblitz.com/edit/nuxt-starter-nynkwv?file=app.vue

I'm looking forward to useHeadSafe() coming to Nuxt3 👍

from head.

Hey, there are many XSS improvements to address this issue available since 1.1.0.

• useHeadSafe
• children is deprecated in favor of innerHTML and textContent, the XSS issues should be more obvious with this. See https://unhead.harlanzw.com/guide/guides/inner-content
• Any application/json or application/ld+json will now be validated as proper JSON (fixes any XSS)

If you have any other ideas on how to improve XSS issues then please create a new issue! Happy to explore making the package as safe as possible without hindering DX.

from head.