React, Flux, GraphQL, Hack, HHVM...? All of this and more!
Boris Bera has released a proof of concept of an XSS vulnerability when using Vue.js with server side rendering. Based on string templates, allowing attackers to target Vue.js through injection of code via malformed templates.
Vue.js, the popular front end library for building apps has grown to be a challenger to React.js, and has in practice taken the Angular.js successorship as Angular focused on more enterprisey need with version 2 onwards. This has allowed Vue to catch market share from developers who find React.js learning curve to be too steep.
The XSS PoC uses a combination of Vue.js and server side rendered templates to execute malicious third party JavaScript from untrusted sources. The demonstration is written with the PHP server side programming language, but Boris states any server side technology used to generate templates can be abused. Mitigation would require a Vue.js escaping template language to be used.
In the case templates are not rendered with Universal JavaScript, but rather as strings. This means that React.js or other UI libraries could be attacked from a similar vector when attaching to a DOM structure generated as strings. Universal Frameworks like Next.js or Nuxt.js are likely not suspectible because of template compilation.
More details on the case on GitHub: https://github.com/dotboris/vuejs-serverside-template-xss
Tweet