mirror of
https://github.com/nuxt/nuxt.git
synced 2024-11-14 10:04:05 +00:00
f26a801775
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Daniel Roe <daniel@roe.dev>
1.5 KiB
1.5 KiB
title | description | links | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
useHeadSafe | The recommended way to provide head data with user input. |
|
The useHeadSafe
composable is a wrapper around the useHead
composable that restricts the input to only allow safe values.
Usage
You can pass all the same values as useHead
useHeadSafe({
script: [
{ id: 'xss-script', innerHTML: 'alert("xss")' }
],
meta: [
{ 'http-equiv': 'refresh', content: '0;javascript:alert(1)' }
]
})
// Will safely generate
// <script id="xss-script"></script>
// <meta content="0;javascript:alert(1)">
::read-more{to="https://unhead.unjs.io/usage/composables/use-head-safe" target="_blank"}
Read more on unhead
documentation.
::
Type
useHeadSafe(input: MaybeComputedRef<HeadSafe>): void
The whitelist of safe values is:
export default {
htmlAttrs: ['id', 'class', 'lang', 'dir'],
bodyAttrs: ['id', 'class'],
meta: ['id', 'name', 'property', 'charset', 'content'],
noscript: ['id', 'textContent'],
script: ['id', 'type', 'textContent'],
link: ['id', 'color', 'crossorigin', 'fetchpriority', 'href', 'hreflang', 'imagesrcset', 'imagesizes', 'integrity', 'media', 'referrerpolicy', 'rel', 'sizes', 'type'],
}
See @unhead/schema for more detailed types.