feat(vue-admin): comment out the vue mount point #438

gmq · 2023-05-22T21:10:51Z

En un Ethical Hacking se encontró que nuestra forma de usar Vue en el admin es vulnerable a ataques de Client-Side Template Injection. Por ejemplo si un usuario escribe {{ 13 + 13 }}, en el admin en las vistas de Index y Show se va a ver como 26. Esto puede ser cualquier tipo de javascript (detalles: https://book.hacktricks.xyz/pentesting-web/client-side-template-injection-csti#vuejs )

Este fix comenta el mount de Vue para que sea una decisión explícita el montar Vue en un elemento.

lib/potassium/recipes/vue_admin.rb

gmq requested a review from difernandez May 22, 2023 21:19

difernandez reviewed May 22, 2023

View reviewed changes

lib/potassium/recipes/vue_admin.rb Show resolved Hide resolved

gmq force-pushed the admin-vue branch from 4880730 to 83aee2d Compare May 23, 2023 14:29

feat(vue-admin): comment out the vue mount point

3120517

gmq force-pushed the admin-vue branch from 83aee2d to 3120517 Compare May 23, 2023 14:31

difernandez approved these changes May 23, 2023

View reviewed changes

gmq merged commit 7c2915a into master May 23, 2023

gmq deleted the admin-vue branch May 23, 2023 14:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(vue-admin): comment out the vue mount point #438

feat(vue-admin): comment out the vue mount point #438

gmq commented May 22, 2023

feat(vue-admin): comment out the vue mount point #438

feat(vue-admin): comment out the vue mount point #438

Conversation

gmq commented May 22, 2023