AJAX templating techniques such as those that Vue is using (when you use the double braces to insert content into a page) have a natural resilience to XSS injection since they operate directly on the browser's document domain model using the functions provided by the DOM (Document Object Model) API rather than concatenation. AJAX clients are still susceptible to XSS flaws though, so we need to test just how vulnerable our users are.
We can quickly test this by creating a customer and a product that are primarily made up of
The following script tag will pop up an alert box:
Insert this into any column that is a
varchar (enter valid values for other columns). Enter normal values (not script tags) for any values that will be used as path parameters in web service operations (such as the product ID, category, and username) since the '/' character in the closing script tag will be interpreted as a path separator, and break your service calls.
We are using a number (111) to avoid any weird escaping of quote marks that may occur.
Add a customer and a product to your database where all of the string values use the above script tag.
Add the customer via the register page since the password hashing will only be done if we create a customer properly. For the products, you can use the H2 console by querying the table, and then hitting the <
> button that appears at the bottom of the result.
Repeat the test with the older SSR version of the project. JSP is very much not resilient to XSS injection --- we would expect to see some alerts here.