dpatrick added a comment. |
Many apologies for the delay here. I reviewed this back in June, failed to add my notes, then re-reviewed last week due to code changes since the last time I looked at it. I found no issues while reviewing this library. I checked for the following:
- XSS via unescaped input or failure to maintain escaping (via mustache interpolation, v-model, static data, etc.)
- Resource consumption/DoS
- Template _expression_ injection at runtime from user-controlled data
My only recommendation is to give care to consume only trusted data when using v-html. Outside of this, I think we're good to go to use this library.
TASK DETAIL
EMAIL PREFERENCES
To: dpatrick
Cc: dpatrick, PokestarFan, WMDE-leszek, Volker_E, thiemowmde, Jonas, Aleksey_WMDE, Milimetric, Aklapper, daniel, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, enigmaeth, rohitt, Dixtosa, Luke081515, Wikidata-bugs, aude, JanZerebecki, csteipp, Mbch331, Jay8g, Legoktm
Cc: dpatrick, PokestarFan, WMDE-leszek, Volker_E, thiemowmde, Jonas, Aleksey_WMDE, Milimetric, Aklapper, daniel, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, enigmaeth, rohitt, Dixtosa, Luke081515, Wikidata-bugs, aude, JanZerebecki, csteipp, Mbch331, Jay8g, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs