I need help, they say v-html is not safe, but how would I render posts from database? #6386
-
So we have a table called posts that has a column of content, that has a format of something like this: <h1>Here it is</h2>
<p>Some contents here.</p> If v-html is not safe, is any alternative then? because if I just use |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
Don't trust user input and filtering special characters can reduce most XSS. |
Beta Was this translation helpful? Give feedback.
-
If you (or your team) don't control the the database, you should sanitize the content on the front-end. Apart from the great suggestions by @liulinboyi, I've created a Vue wrapper to the great |
Beta Was this translation helpful? Give feedback.
-
What bugs me about |
Beta Was this translation helpful? Give feedback.
v-html
is as safe as the HTML that you consume. Ideally, you should sanitize the HTML in you back-end, before saving the content in the database.If you (or your team) don't control the the database, you should sanitize the content on the front-end. Apart from the great suggestions by @liulinboyi, I've created a Vue wrapper to the great
sanitize-html
library:https://github.com/leopiccionia/vue-sanitize-directive