github · advisory-database · Jul 17, 2025 · Jul 17, 2025
diff --git a/advisories/github-reviewed/2025/07/GHSA-x8qp-wqqm-57ph/GHSA-x8qp-wqqm-57ph.json b/advisories/github-reviewed/2025/07/GHSA-x8qp-wqqm-57ph/GHSA-x8qp-wqqm-57ph.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x8qp-wqqm-57ph",
-  "modified": "2025-07-16T19:32:49Z",
+  "modified": "2025-07-16T19:32:50Z",
   "published": "2025-07-16T19:32:48Z",
   "aliases": [
     "CVE-2025-53892"
   ],
   "summary": "vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes",
-  "details": "### Summary\nThe escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html.\n\nThis may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.\n\n### Details\n\nWhen escapeParameterHtml: true is enabled, it correctly escapes common injection points.\n\nHowever, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:\n\n`<img src=x onerror=alert(1)>\n`\n### PoC\nIn your Vue I18n configuration:\n\n```\nconst i18n = createI18n({\n  escapeParameterHtml: true,\n  messages: {\n    en: {\n      vulnerable: 'Caution: <img src=x onerror=\"{payload}\">'\n    }\n  }\n});\n```\nUse this interpolated payload:\n\n`const payload = '<script>alert(\"xss\")</script>';`\nRender the translation using v-html (even not using v-html):\n\n`<p v-html=\"$t('vulnerable', { payload })\"></p>\n`\nExpected: escaped content should render as text, not execute.\n\nActual: script executes in some environments (or the payload is partially parsed as HTML).\n\n### Impact\n\nThis creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .",
+  "details": "### Summary\nThe escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, this setting fails to prevent execution of certain tag-based payloads, such as `<img src=x onerror=...>`, if the interpolated value is inserted inside an HTML context using v-html.\n\nThis may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html.\n\n### Details\n\nWhen escapeParameterHtml: true is enabled, it correctly escapes common injection points.\n\nHowever, it does not sanitize entire attribute contexts, which can be used as XSS vectors via:\n\n`<img src=x onerror=alert(1)>\n`\n### PoC\nIn your Vue I18n configuration:\n\n```\nconst i18n = createI18n({\n  escapeParameterHtml: true,\n  messages: {\n    en: {\n      vulnerable: 'Caution: <img src=x onerror=\"{payload}\">'\n    }\n  }\n});\n```\nUse this interpolated payload:\n\n`const payload = '<script>alert(\"xss\")</script>';`\nRender the translation using v-html (even not using v-html):\n\n`<p v-html=\"$t('vulnerable', { payload })\"></p>\n`\nExpected: escaped content should render as text, not execute.\n\nActual: script executes in some environments (or the payload is partially parsed as HTML).\n\n### Impact\n\nThis creates a DOM-based Cross-Site Scripting (XSS) vulnerability despite enabling a security option (escapeParameterHtml) .",
   "severity": [
     {
       "type": "CVSS_V4",