Skip to content

Commit 34aac64

Browse files
yyx990803yyx990803
committed
docs: security and csp
1 parent ca4e43d commit 34aac64

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -376,3 +376,13 @@ This is also how Vue 1 worked. The trade-off here is that this approach is coupl
376376
- Although Alpine largely resembles Vue's design, there are variaous cases where the behavior is different from Vue itself. It may also diverge more from Vue in the future. This is good because Alpine shouldn't have to restrict its design to strictly follow Vue - it should have the freedom to develop in a direction that makes sense for its goals.
377377

378378
In comparison, `petite-vue` will try to align with standard Vue behavior whenever possible so that there is less friction moving to standard Vue if needed. It's intended to be **part of the Vue ecosystem** to cover the progressive enhancement use case where standard Vue is less optimized for nowadays.
379+
380+
## Security and CSP
381+
382+
`petite-vue` evaluates JavaScript expressions in the templates. This means **if** `petite-vue` is mounted on a region of the DOM that contains non-sanitized HTML from user data, it may lead to XSS attacks. **If your page renders user-submitted HTML, you should prefer initializing `petite-vue` using [explicit mount target](#explicit-mount-target) so that it only processes parts that are controlled by you**. You can also sanitize any user-submitted HTML for the `v-scope` attribute.
383+
384+
`petite-vue` evaluates the expressions using `new Function()`, which may be prohibited in strict CSP settings. There is no plan to provide a CSP build because it involves shipping an expression parser which defeats the purpose of being lightweight. If you have strict CSP requirements, you should probably use standard Vue and pre-compile the templates.
385+
386+
## License
387+
388+
MIT

package.json

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,8 @@
1717
},
1818
"scripts": {
1919
"dev": "vite",
20-
"type": "tsc --noEmit",
2120
"build": "vite build",
22-
"prepublishOnly": "yarn type && yarn build"
21+
"prepublishOnly": "tsc --noEmit && yarn build"
2322
},
2423
"repository": {
2524
"type": "git",
@@ -31,7 +30,7 @@
3130
"author": "Evan You",
3231
"license": "MIT",
3332
"bugs": {
34-
"url": "https://github.com/vuejs/petite-vue/issues"
33+
"url": "https://github.com/vuejs/petite-vue/discussions"
3534
},
3635
"homepage": "https://github.com/vuejs/petite-vue#readme",
3736
"devDependencies": {

0 commit comments

Comments
 (0)