JS Frameworks, Server Side Rendering, and XSS

Recently on HackerNews an article was published detailing how combining server-side rendering and JavaScript frameworks can sometimes lead to unexpected cases of XSS.

Today, we patched a potential XSS vector in the default application layout shipped with Laravel. If you are using the default Bootstrap authentication scaffolding, you can patch your app.blade.php file by adding the “v-pre” directive to the section of code that display the user’s name:

This patch is already included in new applications created using Laravel 5.6.9 and 5.5.37.