Skip to content

Instantly share code, notes, and snippets.

@pi0

pi0/security.md Secret

Last active January 24, 2019 18:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pi0/674d49d5f1c2ccfe20d3b1e29ae7b497 to your computer and use it in GitHub Desktop.
Save pi0/674d49d5f1c2ccfe20d3b1e29ae7b497 to your computer and use it in GitHub Desktop.
Download ZIP
BootstrapVue XSS Clarification
Raw
security.md

As of bug report #1794 in BootstrapVue project (<= RC.12), i want to clarify state of mentioned Vulnerability.

Generally this is not a Vulnerability in BootstrapVue project as:

  • Data sanitization and Security is not a job of a component library like BootstrapVue.
  • Developers that need security should strictly validate user input and take methods like Content Security Policy (CSP) to prevent such attacks. Fixing them at component level just reduces attack surface.
  • We already warn users in the docs (some components as of RC.11) about not trusting user input.
  • Bootstrap Vue 2.x is still in RC phase (as of bug report date) So should be used with caution.
  • As discussed, this problem is totaly lack of advice or proper property naming.

However there are good reasons to contribute on this area:

  • There are properties in BootstrapVue library that implicitly use innerHTML that can hide XSS attack vulnerability in project source code.
  • We need a dedicated security section in the docs.

List of PRs to address this:

Link to vulnerability reports:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment