QUESTION UPDATED
I am inspecting a client's application written with Vue.js and I found there a following construction.
// Somewhere else in the code
var data = JSON.parse(jsonString);
// In the vue component
<img :src="require(`@/assets/img/${data.someKey}.png`)">
jsonString is returned from a client's own server, however if the server is compromised then this data can be manipulated.
The application is running in electron environment.
Is this construction is safe to assume that data.someKey will always contain a safe data or there are some ways to abuse this construction and execute an XSS either though a require or through ${}?
The whole construction is very questionable and client's developers are convinced that JSON.parse is a sufficient protection in this case.
INITIAL QUESTION
I have a following construction in JS
var data = JSON.parse(jsonString);
`${data.someKey}`
jsonString comes from an untrusted source.
Is this construction is safe to assume that data.someKey will always contain a safe data or there are some ways to abuse this construction and execute an XSS?
jsonString
in the first place. There might be a risk in what you do withdata
afterwards.var jsonString = "{stuff from untrusted source output here}";
before that, or the above code would in reality actually bevar data = JSON.parse("{stuff from untrusted source output here}");
- then of course you could have a problem there.