JS Frameworks, Server Side Rendering, and XSS

Recently on HackerNews an article was published detailing how combining server-side rendering and JavaScript frameworks can sometimes lead to unexpected cases of XSS.

Today, we patched a potential XSS vector in the default application layout shipped with Laravel. If you are using the default Bootstrap authentication scaffolding, you can patch your app.blade.php file by adding the “v-pre” directive to the section of code that display the user’s name:

This patch is already included in new applications created using Laravel 5.6.9 and 5.5.37.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.