4Tem
Is <img :src="require`${JSON.parse(string)}`"> in electron vue is safe from XSS?
I am inspecting a client's application written with Vue.js and I found there a following construction.
// Somewhere else in the code
var data = JSON.parse(jsonString);
// In the vue component
<img :src="require(`@/assets/img/${data.someKey}.png`)">
jsonString is returned from a client's own server, however if the server is compromised then this data can be manipulated.
The application is running in electron environment.
Is this construction is safe to assume that data.someKey will always contain a safe data or there are some ways to abuse this construction and execute an XSS either though a require or through ${}?
The whole construction is very questionable and client's developers are convinced that JSON.parse is a sufficient protection in this case.
