diff --git a/lib/potassium/recipes/vue_admin.rb b/lib/potassium/recipes/vue_admin.rb
index ad813c19..a9c5b68d 100644
--- a/lib/potassium/recipes/vue_admin.rb
+++ b/lib/potassium/recipes/vue_admin.rb
@@ -136,7 +136,17 @@ def active_admin_js
             },
           });
           app.component('admin_component', AdminComponent);
-          app.mount('#wrapper');
+
+          // Avoid using '#wrapper' as the mount point, as that includes the entire admin page,
+          // which could be used for Client-Side Template Injection (CSTI) attacks. Limit the
+          // mount point to specific areas where you need Vue components.
+
+          // DO NOT mount Vue in elements that contain user input rendered by
+          // ActiveAdmin.
+          // By default ActiveAdmin doesn't escape {{ }} in user input, so it's
+          // possible to inject arbitrary JavaScript code into the page.
+
+          // app.mount('#wrapper');
         }
 
         return null;