0
0
Vueframework~20 mins

Why security matters in Vue - Challenge Your Understanding

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Vue Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Cross-Site Scripting (XSS) in Vue
What is the main reason Vue automatically escapes HTML in template bindings?
ATo prevent attackers from injecting malicious scripts into the app
BTo make the app load faster by skipping HTML parsing
CTo allow users to write raw HTML in templates without errors
DTo enable Vue to style elements automatically
Attempts:
2 left
💡 Hint
Think about what happens if user input contains script tags.
component_behavior
intermediate
2:00remaining
Safe Rendering with v-html Directive
What happens if you use v-html with untrusted user input in Vue?
Vue
<template>
  <div v-html="userContent"></div>
</template>

<script setup>
const userContent = '<img src=x onerror=alert(1)>'
</script>
AVue automatically sanitizes the HTML to remove scripts
BVue throws an error and stops rendering
CThe content is displayed as plain text, no HTML rendered
DThe malicious script runs, causing a security risk
Attempts:
2 left
💡 Hint
Consider what v-html does with raw HTML strings.
🔧 Debug
advanced
2:00remaining
Identifying a Security Flaw in Vue Code
Which option shows a Vue snippet that can cause a security vulnerability?
A<template><div>{{ userInput }}</div></template><script setup>const userInput = '<script>alert(1)</script>'</script>
B<template><div v-html="userInput"></div></template><script setup>const userInput = '<script>alert(1)</script>'</script>
C<template><div>{{ userInput }}</div></template><script setup>const userInput = 'Hello World'</script>
D<template><div>{{ userInput }}</div></template><script setup>const userInput = '&lt;script&gt;alert(1)&lt;/script&gt;'</script>
Attempts:
2 left
💡 Hint
Look for where raw HTML is rendered without escaping.
state_output
advanced
2:00remaining
Effect of Sanitizing User Input Before Rendering
If you sanitize user input to remove scripts before assigning it to a Vue reactive variable used with v-html, what will be the output?
Vue
<template>
  <div v-html="safeContent"></div>
</template>

<script setup>
import DOMPurify from 'dompurify'
const rawContent = '<img src=x onerror=alert(1)><p>Hello</p>'
const safeContent = DOMPurify.sanitize(rawContent)
</script>
ANothing is rendered because the content is blocked
BThe malicious script runs and <p>Hello</p> is shown
COnly the <p>Hello</p> is rendered; the malicious script is removed
DVue throws an error because of the sanitizer
Attempts:
2 left
💡 Hint
Think about what sanitizing does to dangerous HTML.
📝 Syntax
expert
2:00remaining
Correct Syntax to Bind Attributes Safely in Vue
Which option correctly binds a user-provided URL to an img tag's src attribute to avoid security issues?
A<img :src="userUrl" alt="User image">
B<img src="{{ userUrl }}" alt="User image">
C<img v-bind:src="userUrl" alt="User image" v-html="userUrl">
D<img src="userUrl" alt="User image">
Attempts:
2 left
💡 Hint
Remember how Vue binds dynamic attributes safely.