Skip to content

fix(nuxt): escape HTML in development error page stack trace #33820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danielroe merged 4 commits into from
Dec 9, 2025
Merged

fix(nuxt): escape HTML in development error page stack trace #33820

danielroe merged 4 commits into from
Dec 9, 2025

Conversation

@kTelyakov
Copy link
Contributor

@kTelyakov kTelyakov commented Dec 4, 2025

🔗 Linked issue

Fixes #33790

📚 Description

The development error page (nuxt-error-page.vue) was not escaping the stack trace text before inserting it into HTML, which could lead to XSS if the error message contained malicious content like <script> tags.

@kTelyakov kTelyakov requested a review from danielroe as a code owner December 4, 2025 18:26
@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Dec 4, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@coderabbitai
Copy link

coderabbitai bot commented Dec 4, 2025
edited
Loading

Walkthrough

Imported escapeHtml from @vue/shared (with an ESLint disable comment) and used it to sanitise each stack trace line before rendering (replacing direct i.text with escapeHtml(i.text)). Stacktrace construction is now performed only in development builds (computed when import.meta.dev is true); in non‑dev builds it is left empty. No exported or public signatures were changed.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: escaping HTML in the development error page stack trace to fix XSS vulnerabilities.
Description check ✅ Passed The description is directly related to the changeset, explaining the XSS vulnerability in the development error page and how the changes address it.
Linked Issues check ✅ Passed The code changes directly address issue #33790 by escaping HTML in stack traces to prevent XSS, preserve error message text, and align with non-dev error page behaviour.
Out of Scope Changes check ✅ Passed All changes are focused on escaping HTML in the error page component as per the linked issue requirements; no unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8eb6aff and bc49a73.

📒 Files selected for processing (1)
  • packages/nuxt/src/app/components/nuxt-error-page.vue (3 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{ts,tsx,vue}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Follow standard TypeScript conventions and best practices

Files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
**/*.vue

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use <script setup lang="ts"> and the composition API when creating Vue components

Files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
**/*.{ts,tsx,js,jsx,vue}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx,js,jsx,vue}: Use clear, descriptive variable and function names
Add comments only to explain complex logic or non-obvious implementations
Keep functions focused and manageable (generally under 50 lines), and extract complex logic into separate domain-specific files
Remove code that is not used or needed
Use error handling patterns consistently

Files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
🧠 Learnings (3)
📚 Learning: 2024-12-12T12:36:34.871Z 
Learnt from: huang-julien
Repo: nuxt/nuxt PR: 29366
File: packages/nuxt/src/app/components/nuxt-root.vue:16-19
Timestamp: 2024-12-12T12:36:34.871Z
Learning: In `packages/nuxt/src/app/components/nuxt-root.vue`, when optimizing bundle size by conditionally importing components based on route metadata, prefer using inline conditional imports like:

```js
const IsolatedPage = route?.meta?.isolate ? defineAsyncComponent(() => import('#build/isolated-page.mjs')) : null
```

instead of wrapping the import in a computed property or importing the component unconditionally.

Applied to files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
📚 Learning: 2025-11-25T11:42:16.132Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.132Z
Learning: Applies to **/*.{ts,tsx,js,jsx,vue} : Use error handling patterns consistently

Applied to files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
📚 Learning: 2025-11-25T11:42:16.132Z 
Learnt from: CR
Repo: nuxt/nuxt PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-25T11:42:16.132Z
Learning: Applies to **/*.vue : Use `<script setup lang="ts">` and the composition API when creating Vue components

Applied to files:

  • packages/nuxt/src/app/components/nuxt-error-page.vue
🔇 Additional comments (3)
packages/nuxt/src/app/components/nuxt-error-page.vue (3)

7-8: LGTM: Import is appropriately guarded by usage.

The top-level import combined with the import.meta.dev guard on line 18 allows modern bundlers to tree-shake this dependency in production builds. The eslint disable comment is appropriate since @vue/shared provides the canonical implementation.

18-34: LGTM: Development guard effectively addresses past review concern.

The import.meta.dev guard ensures the stacktrace processing and escapeHtml usage are excluded from production builds, directly addressing the previous review comment about preventing production bundling.

33-33: LGTM: Correct XSS mitigation.

The escapeHtml function properly sanitises the stack trace text before rendering, preventing HTML injection whilst preserving the complete error message text. This directly addresses the security vulnerability described in the linked issue.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 4, 2025
edited
Loading

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@33820

@nuxt/nitro-server

npm i https://pkg.pr.new/@nuxt/nitro-server@33820

nuxt

npm i https://pkg.pr.new/nuxt@33820

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@33820

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@33820

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@33820

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@33820

commit: bc49a73

fix(nuxt): escape HTML in error page stack trace to prevent XSS
a7d8d54 
Fixes nuxt#33790

The stack trace text in the development error page was being inserted
directly into HTML without escaping, which could lead to XSS if the
error message contained malicious content.

This change uses escapeHtml from vue to properly escape the stack trace
text before inserting it into the HTML.
@codspeed-hq
Copy link

codspeed-hq bot commented Dec 4, 2025
edited
Loading

CodSpeed Performance Report

Merging #33820 will not alter performance

Comparing kTelyakov:fix/escape-error-page-xss (bc49a73) with main (08d9d2f)

Summary

✅ 10 untouched

@kTelyakov kTelyakov force-pushed the fix/escape-error-page-xss branch from 5f0dd02 to a7d8d54 Compare December 4, 2025 19:57
danielroe
danielroe reviewed Dec 8, 2025
View reviewed changes
danielroe
danielroe approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@danielroe danielroe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you ❤️

@danielroe danielroe changed the title fix(nuxt): escape HTML in error page stack trace to prevent XSS fix(nuxt): escape HTML in error page stack trace Dec 9, 2025
@danielroe danielroe changed the title fix(nuxt): escape HTML in error page stack trace fix(nuxt): escape HTML in development error page stack trace Dec 9, 2025
@danielroe danielroe merged commit 9728d9e into nuxt:main Dec 9, 2025
55 checks passed
@github-actions github-actions bot mentioned this pull request Dec 8, 2025
Merged
danielroe pushed a commit that referenced this pull request Dec 9, 2025
@kTelyakov @danielroe
fix(nuxt): escape HTML in development error page stack trace (#33820)
fd80e09
@github-actions github-actions bot mentioned this pull request Dec 9, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Dec 19, 2025
Open
@coderabbitai coderabbitai bot mentioned this pull request Jan 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielroe danielroe danielroe approved these changes

Assignees

No one assigned

Labels

4.x bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Development error page does not escape error message

2 participants

@kTelyakov @danielroe