XSS Prevention in Vue
Vue's auto-escaping, dangers of v-html, DOMPurify for sanitization, trusted types.
What is XSS
Cross-Site Scripting (XSS) is an attack where malicious script is injected into a page and runs in another user's browser. It can steal cookies, tokens, and data. Vue protects you by default, but a few patterns reopen the door.
Vue Auto-Escapes Interpolation
Text inside mustache interpolation {{ }} is automatically HTML-escaped. A user string containing tags is rendered as harmless text, not executed.
<!-- userInput = "<script>alert(1)</script>" -->
<p>{{ userInput }}</p>
<!-- renders the literal text, no script runs -->