🔧 Bug Fixes
⚠️ BREAKING CHANGES
A low impact security vulnerability was identified with the v-messages
component. Using the value prop, it was possible to perform an XSS attack.
NOTICE
If you are not using HTML for the props rules, messages, hint, success-messages or error-messages, you do not need to do anything.
All values for v-message
are now escaped. This primarily affects inputs as they use v-message
for rule and hint output. To accommodate this change, a scoped slot has been added for users who
need to customize the styling of messages as they will no longer render html.
Components this fix impacts:
v-autocomplete
v-checkbox
v-combobox
v-file-input
v-input
v-messages
v-overflow-btn
v-radio-group
v-select
v-slider
v-switch
v-textarea
v-text-field
<!-- v2.1.8 -->
<v-text-field :rules="['<em>Foo<em>']" />
<!-- v2.1.9 -->
<v-text-field :rules="['Foo']">
<template v-slot:message="{ message, key }">
<em :key="key">{{ message }}</em>
</template>
</v-text-field>
If you have any questions, please reach out to us in our community, https://community.vuetifyjs.com