Javascript Vue Client Side Template Injection
Description
This detector identifies client-side template injection vulnerabilities in Vue.js applications. Client-side template injection occurs when user-controlled data is directly inserted into Vue.js templates without proper sanitization, allowing attackers to execute arbitrary JavaScript code in the user's browser context and potentially steal sensitive data or perform malicious actions.
Detection Strategy
• Scans JavaScript and Vue.js source code files for template syntax and expressions
• Identifies Vue.js template constructs
• Analyzes data flow to determine if user-controlled input reaches Vue.js template rendering without proper sanitization
• Reports vulnerabilities when untrusted data is used directly in Vue.js templates, particularly in v-html directives or template interpolations that could execute JavaScript
• Focuses on scenarios where external data sources (user input, API responses, URL parameters) are bound to Vue.js templates without validation or encoding
Vulnerable code example
import Vue from "vue";
import { createApp } from "vue";
const userInput = prompt("Template");
// VULNERABLE: User-controlled content compiled as Vue template
createApp({
template: userInput...✅ Secure code example
import Vue from "vue";
import { createApp } from "vue";
const userInput = prompt("Template");
// SAFE: User input displayed as data, not compiled as template
createApp({
template: "<div>{{ userInput }}</div>",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.