0
0
Vueframework~20 mins

Sanitizing user input in Vue - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Sanitizing Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when user input contains HTML tags?

Consider a Vue 3 component that sanitizes user input before displaying it. The user types <script>alert('Hi')</script> in the input box. Which option correctly shows the sanitized output in the rendered page?

Vue
<template>
  <div>
    <input v-model="userInput" placeholder="Type here" />
    <p v-html="sanitizedInput"></p>
  </div>
</template>

<script setup>
import { ref, computed } from 'vue'
import DOMPurify from 'dompurify'

const userInput = ref('')
const sanitizedInput = computed(() => DOMPurify.sanitize(userInput.value))
</script>
A&lt;script&gt;alert('Hi')&lt;/script&gt; (rendered as text, no script runs)
B<script>alert('Hi')</script>
Calert('Hi')
D&lt;script&gt;alert('Hi')&lt;/script&gt;
Attempts:
2 left
💡 Hint

Think about how DOMPurify changes dangerous HTML tags to safe text.

📝 Syntax
intermediate
2:00remaining
Which Vue 3 syntax correctly sanitizes user input before rendering?

Given a user input stored in userInput, which option correctly uses DOMPurify to sanitize and render it safely in Vue 3?

A<p>{{ DOMPurify.sanitize(userInput) }}</p>
B<p v-html="DOMPurify.sanitize(userInput)"></p>
C<p v-text="DOMPurify.sanitize(userInput)"></p>
D<p v-html="userInput"></p>
Attempts:
2 left
💡 Hint

Remember that v-html renders HTML, but you must sanitize it first.

🔧 Debug
advanced
2:00remaining
Why does this Vue 3 component still allow script execution?

Look at this Vue 3 component code:

<template>
  <div>
    <input v-model="userInput" />
    <p v-html="userInput"></p>
  </div>
</template>

<script setup>
import { ref } from 'vue'
const userInput = ref('')
</script>

Why can a user still run scripts by typing HTML with <script> tags?

ABecause Vue automatically escapes all HTML in v-html.
BBecause v-model does not update the userInput variable correctly.
CBecause ref() does not work with strings.
DBecause the input is not sanitized before using v-html, so raw HTML including scripts runs.
Attempts:
2 left
💡 Hint

Think about what v-html does with raw HTML strings.

🧠 Conceptual
advanced
1:30remaining
What is the main reason to sanitize user input in frameworks like Vue?

Why do developers sanitize user input before rendering it in Vue components?

ATo make the input look prettier with CSS styles.
BTo improve the speed of rendering components.
CTo prevent Cross-Site Scripting (XSS) attacks by removing dangerous code.
DTo allow users to enter any HTML without restrictions.
Attempts:
2 left
💡 Hint

Think about security risks from user input.

state_output
expert
2:30remaining
What is the value of displayText after input changes?

In this Vue 3 component, what will displayText contain after the user types <b>Hello</b>?

Vue
<template>
  <div>
    <input v-model="userInput" />
    <p v-html="displayText"></p>
  </div>
</template>

<script setup>
import { ref, computed } from 'vue'
import DOMPurify from 'dompurify'

const userInput = ref('')
const displayText = computed(() => {
  const dirty = userInput.value
  return DOMPurify.sanitize(dirty, { ALLOWED_TAGS: ['b'] })
})
</script>
A<b>Hello</b>
BHello
C&lt;b&gt;Hello&lt;/b&gt;
D<script>alert('Hello')</script>
Attempts:
2 left
💡 Hint

Check which tags are allowed by DOMPurify in this config.