Gathering detailed insights and metrics for vue-html-secure
Gathering detailed insights and metrics for vue-html-secure
Vue.js 2.x plugin to add HTML secure directives v-html-remove, v-html-escape, v-html-safe
Installations
npm install vue-html-secureDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Node Version
12.22.7
NPM Version
6.14.15
Score
77
Supply Chain
99.4
Quality
75.6
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
1
JavaScript
JavaScript (100%)
Developer
nolimitdev
Download Statistics
Total Downloads
547,770
Last Day
655
Last Week
3,249
Last Month
14,424
Last Year
204,615
GitHub Statistics
MIT License
30 Stars
13 Commits
4 Forks
1 Watchers
1 Branches
1 Contributors
Updated on Dec 14, 2023
Bundle Size
2.01 kB
Minified
778.00 B
Minified + Gzipped
Maintainers
1
Package Meta Information
Latest Version
1.0.10
Package Id
vue-html-secure@1.0.10
Unpacked Size
10.93 kB
Size
3.53 kB
File Count
4
NPM Version
6.14.15
Node Version
12.22.7
Total Downloads
Cumulative downloads
Total Downloads
547,770
Last Day
112.7%
655
Compared to previous day
Last Week
3.1%
3,249
Compared to previous week
Last Month
-15.4%
14,424
Compared to previous month
Last Year
23.1%
204,615
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
vue-html-secure 
Vue.js plugin to add HTML secure directives v-html-remove, v-html-escape, v-html-safe which are secure alternatives to official v-html. Using official v-html can easily lead to XSS attacks and must be used on trusted content only and never on user-provided content. Most popular JavaScript libraries to sanitize HTML string are too huge (from several hundred KB to several MB) with lot of dependencies. This plugin is lightweight (only 2kB packed size) without dependency. The main feature is to secure HTML string to avoid XSS attacks such as <img src='' onerror=alert('XSS!')> or <a href="javascript:alert('XSS!')"></a>.
Install
To install with npm or yarn, use
1npm install --save vue-html-secure 2 3// or 4 5yarn add vue-html-secure
Directives and functions
v-html-safe="..." or $safeHTML(...)
This leaves all HTML tags except for <script> and removes insecure elements's attributes starting "on*" and also values starting "javascript:*".
v-html-escape="..." or $escapeHTML(...)
This replaces chars <, >, $ to appropriate HTML entities <, >, &. This does not escape single or double quotes for string usage in HTML attribute (it is not aim of this plugin to do that).
Note that in case v-html-escape you can directly use official v-text, but using function can have sense e.g. message : 'My <b>secure part</b> and user-provided insecure part: ' + this.$escapeHTML(...).
v-html-remove="..." or $removeHTML(...)
This removes all HTML tags but preserves it's text content.
Usage
1////////// JS for Vue 2.x \\\\\\\\\\ 2 3import Vue from 'vue'; 4import VueSecureHTML from 'vue-html-secure'; 5 6Vue.use(VueSecureHTML); 7 8// Optional 9// Vue.prototype.$safeHTML = VueSecureHTML.safeHTML; 10// Vue.prototype.$escapeHTML = VueSecureHTML.escapeHTML; 11// Vue.prototype.$removeHTML = VueSecureHTML.removeHTML; 12 13const App = new Vue({ 14 el: '#app', 15 data() { 16 return { 17 message : "Hello <img src='' onerror=alert('XSS!')> VUE", 18 } 19 }, 20});
1////////// JS for Vue 3.x \\\\\\\\\\
2
3import * as Vue from 'vue';
4import VueSecureHTML from 'vue-html-secure';
5
6const App = Vue.createApp({
7 data() {
8 return {
9 message : "Hello <img src='' onerror=alert('XSS!')> VUE",
10 }
11 },
12});
13
14// Optional
15App.config.globalProperties.$safeHTML = VueSecureHTML.safeHTML;
16App.config.globalProperties.$escapeHTML = VueSecureHTML.escapeHTML;
17App.config.globalProperties.$removeHTML = VueSecureHTML.removeHTML;
18
19App.use(VueSecureHTML);
20App.mount('#app');Example 01
1<div v-html-safe="message"></div>> 2<div v-html-escape="message"></div> 3<div v-html-remove="message"></div>
Example 02
1<div>{{ $safeHTML(message) }}</div> 2<div>{{ $escapeHTML(message) }}</div> 3<div>{{ $removeHTML(message) }}</div>
Example 03
1new Vue({ // or Vue.createApp({ 2 data() { 3 return { 4 message : 'My <b>secure part</b> and user-provided insecure part: ' + 5 this.$escapeHTML("<h1>Foo</h1>"), 6 } 7 }, 8});
1<!-- note official v-html here --> 2<div v-html="message"></div>
Note 1: This is for Vue.js 2.x and Vue.js 3.x.
Note 2: In future releases will be added whitelist and blacklist of HTML tags.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 0/13 approved changesets -- score normalized to 0
Reason
no SAST tool detected
Details
- Warn: no pull requests merged into dev branch
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Score
3
/10
Last Scanned on 2025-04-28
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More