XSS prevention: rendering unescaped HTML `useHeadRaw`
harlan-zw opened this issue · comments
Problem
The only way to render child DOM node content is with children
which sets the textContent
of an element.
Users want a way to set the innerHTML
of an element, related: #84, #51
They also want to render props without escaping, related: #59, #46
There are some security implications here, if we support this and users are filling useHead
directly from an external source, then it's possible that they would be open to XSS.
Proposed Solution
To mitigate against this while still providing a nice DX, it may be required to create a new function useHeadRaw
, which would mark all input as raw
, meaning it won't be sanitised.
We can also introduce useHeadRaw
specific attributes, such as on
for htmlAttr
and bodyAttr
, allowing a user to provide events to be ran, related #47
@antfu Do you have any thoughts on this? Will work on a PR for it soon
This is released in 0.9.x