As of bug report #1794 in BootstrapVue project (<= RC.12), i want to clarify state of mentioned Vulnerability.
Generally this is not a Vulnerability in BootstrapVue project as:
- Data sanitization and Security is not a job of a component library like BootstrapVue.
- Developers that need security should strictly validate user input and take methods like Content Security Policy (CSP) to prevent such attacks. Fixing them at component level just reduces attack surface.
- We already warn users in the docs (some components as of RC.11) about not trusting user input.
- Bootstrap Vue 2.x is still in RC phase (as of bug report date) So should be used with caution.
- As discussed, this problem is totaly lack of advice or proper property naming.
However there are good reasons to contribute on this area:
- There are properties in BootstrapVue library that implicitly use innerHTML that can hide XSS attack vulnerability in project source code.
- We need a dedicated security section in the docs.
List of PRs to address this:
Link to vulnerability reports: