Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

unhead 跨站脚本漏洞

unhead是UnJS开源的一个文档头和模板管理器。 unhead 2.1.11之前版本存在跨站脚本漏洞，该漏洞源于useHeadSafe函数可被绕过，可能导致向SSR渲染的<head>标签注入任意HTML属性，包括事件处理程序。

N/A

N/A