Following the approach described in https://medium.com/node-security/the-most-common-xss-vulnerability-in-react-js-applications-2bdffbcc1fa0#.mup3jwgjq I have tried the following use data string in a page
<template>
<div>
<h1>Welcome</h1>
</div>
</template>
<script>
export default {
data () {
return {
whatever: '</script><script>console.log("xss")</script>'
}
}
}
</script>which prints "xss" during server-side rendering on the server and in the browser console for client rendering. I believe this is due to unsafe object serialization in self.renderToString
<!--cmty--><!--cmty_prevent_hook--><div align="right"><sub><em>This bug report is available on <a href="https://nuxtjs.cmty.io">Nuxt.js</a> community (<a href="https://nuxtjs.cmty.io/nuxt/nuxt.js/issues/c68">#c68</a>)</em></sub></div>