Skip to content

Script tag is not escaped when using :option="" in form-select #1974

Closed
@yob-yob

Description

@yob-yob

I was trying to do some XSS in my project and I got some un-shown text. Which I found out that it was the cause of the script tag that was not escaped.. So I tried doing a v-for loop inside an <option> tag and use
{{ }} (Double brackets) to escaped the script tag. I would like to make a pull request sadly bootstrap_vue is using a render less components (I don't really know but it's using render function) which I don't have much knowledge about. So I just submitted an Issue here.

by the way you can replicate the problem using the Live documentation on Bootstrap_vue site.

My browser: Opera
Operating System: Fedora LXDE

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions