request #13278 Remove direct usage of the v-html directive in Vue apps
    Thomas Gerbet (tgerbet)
    2019-04-23 10:14
    2019-04-17 17:16
    Remove direct usage of the v-html directive in Vue apps
    Tuleap is using Vue more and more frequently which is not that bad from a security point of view. This kind of modern web framework makes harder for the developers to introduce XSS vulnerabilities.

    Unfortunately there are a few places in Tuleap where a user can manipulate HTML code directly and it is needed to render it inside a Vue app forcing us to use the unsafe v-html directive [0]. In this situation the developer is supposed to sanitize the value being given to the v-html directive but we had a few close calls recently where the value was used directly without any sanitization.

    So to reduce the likelihood of ending up with a XSS due to a missing sanitization in v-html directive, I played a bit and ended up with a Vue plugin. This plugin, vue-dompurify-html [1], proposes a drop-in replacement of the v-html directive but it forces the value to be sanitized by DOMPurify [2].
    They are multiple goals here:
    * make it easier to do the right thing for the developers: besides telling Vue to use the plugin at the instantiation of the app, the new directive can be used directly. There is no need of defining a new computed properties to sanize the value which means less boilerplate code.
    * reduce the number of points to inspect: only the directive/plugin code (and potentially a custom config at the init of the Vue app) instead of all the usages of v-html and the computed props associated with them.

    It's outside the scope of this request but we should also works on making it more difficult to use the v-html to introduce a path of least resistance to the safer alternative. We already have an ESLint rule checking that v-html is not used. We should enforce it in the CI pipeline and make it harder to disable.

    [0] https://vuejs.org/v2/guide/syntax.html#Raw-HTML
    [1] https://github.com/LeSuisse/vue-dompurify-html
    [2] https://github.com/cure53/DOMPurify
    internal improvement