From 3120517b75e6c803a59b97b99b1be560edaf33b9 Mon Sep 17 00:00:00 2001
From: Guillermo Moreno <gmq@guillermomoreno.cl>
Date: Mon, 22 May 2023 17:07:27 -0400
Subject: [PATCH] feat(vue-admin): comment out the vue mount point

---
 lib/potassium/recipes/vue_admin.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/potassium/recipes/vue_admin.rb b/lib/potassium/recipes/vue_admin.rb
index ad813c19..a9c5b68d 100644
--- a/lib/potassium/recipes/vue_admin.rb
+++ b/lib/potassium/recipes/vue_admin.rb
@@ -136,7 +136,17 @@ def active_admin_js
             },
           });
           app.component('admin_component', AdminComponent);
-          app.mount('#wrapper');
+
+          // Avoid using '#wrapper' as the mount point, as that includes the entire admin page,
+          // which could be used for Client-Side Template Injection (CSTI) attacks. Limit the
+          // mount point to specific areas where you need Vue components.
+
+          // DO NOT mount Vue in elements that contain user input rendered by
+          // ActiveAdmin.
+          // By default ActiveAdmin doesn't escape {{ }} in user input, so it's
+          // possible to inject arbitrary JavaScript code into the page.
+
+          // app.mount('#wrapper');
         }
 
         return null;