JS Frameworks, Server Side Rendering, and XSS

Taylor Otwell
Mar 7, 2018 · 1 min read

Recently on HackerNews an article was published detailing how combining server-side rendering and JavaScript frameworks can sometimes lead to unexpected cases of XSS.

Today, we patched a potential XSS vector in the default application layout shipped with Laravel. If you are using the default Bootstrap authentication scaffolding, you can patch your app.blade.php file by adding the “v-pre” directive to the section of code that display the user’s name:

This patch is already included in new applications created using Laravel 5.6.9 and 5.5.37.

Creator of Laravel.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade