JS Frameworks, Server Side Rendering, and XSS

Taylor Otwell
1 min readMar 7, 2018

--

Recently on HackerNews an article was published detailing how combining server-side rendering and JavaScript frameworks can sometimes lead to unexpected cases of XSS.

Today, we patched a potential XSS vector in the default application layout shipped with Laravel. If you are using the default Bootstrap authentication scaffolding, you can patch your app.blade.php file by adding the “v-pre” directive to the section of code that display the user’s name:

This patch is already included in new applications created using Laravel 5.6.9 and 5.5.37.

--

--