Vue I18n DOM-Based Cross-Site Scripting Vulnerability via Interpolated HTML in v9.0.0 through 9.14.4

A DOM-based Cross-Site Scripting (XSS) vulnerability has been identified in Vue I18n versions 9.0.0 prior to 9.14.5, 10.0.0 prior to 10.0.8, and 11.0.0 prior to 11.1.0. The issue arises when the 'escapeParameterHtml' option is enabled, as this setting fails to adequately sanitize certain tag-based payloads, such as 'img' tags with 'onerror' attributes, when the interpolated values are inserted into an HTML context using 'v-html'. This vulnerability allows for the execution of scripts, undermining the intended protection of the 'escapeParameterHtml' option.

Impact

Exploitation of this vulnerability allows for the execution of scripts injected through certain HTML attributes, such as 'onerror', creating a DOM-based XSS vulnerability.

Reproduction

To reproduce this vulnerability, create a Vue I18n instance with the 'escapeParameterHtml' option set to true. Include a translation string that contains an 'img' tag with an 'onerror' attribute pointing to a JavaScript payload, such as a script tag. Render this translation using 'v-html'. Despite the 'escapeParameterHtml' option, the payload will execute, demonstrating the vulnerability.

Remediation

Users can upgrade to Vue I18n versions 9.14.5, 10.0.8, or 11.1.0, where this vulnerability has been fixed.