v-html bound to a dynamic value
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
v-html renders its expression as raw HTML; binding it to a variable or member expression rather than a static string literal is a DOM XSS sink unless the value is sanitized.
Why it matters
v-html renders its bound expression as live HTML, so any variable that reaches it can inject a script tag or an onerror handler that runs in your users' session. Vue escapes normal interpolation for exactly this reason, and v-html turns that protection off. Content that looks safe today (a bio, a comment, CMS output) tends to become attacker-controlled later.
How to fix it
Prefer normal text interpolation, which escapes automatically. Where you genuinely need to render HTML, sanitize it first with DOMPurify and bind the sanitized result, keeping the sanitize call at the point of render. Never pass raw request data, user profiles, or third-party API responses straight into v-html.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo