Merge pull request #438 from platanus/admin-vue

feat(vue-admin): comment out the vue mount point
platanus · May 23, 2023 · 7c2915a · 7c2915a
2 parents feafd26 + 3120517
commit 7c2915a
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/lib/potassium/recipes/vue_admin.rb b/lib/potassium/recipes/vue_admin.rb
@@ -136,7 +136,17 @@ def active_admin_js
             },
           });
           app.component('admin_component', AdminComponent);
-          app.mount('#wrapper');
+
+          // Avoid using '#wrapper' as the mount point, as that includes the entire admin page,
+          // which could be used for Client-Side Template Injection (CSTI) attacks. Limit the
+          // mount point to specific areas where you need Vue components.
+
+          // DO NOT mount Vue in elements that contain user input rendered by
+          // ActiveAdmin.
+          // By default ActiveAdmin doesn't escape {{ }} in user input, so it's
+          // possible to inject arbitrary JavaScript code into the page.
+
+          // app.mount('#wrapper');
         }
 
         return null;