Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

Vue I18n is the internationalization plugin for Vue.js. The `escapeParameterHtml: true` option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, in affected versions, this setting fails to prevent execution of certain tag-based payloads, such as `<img src=x onerror=...>`, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using `escapeParameterHtml: true`, if a translation string includes minor HTML and is rendered via v-html. This issue affects @intlify/core and @intlify/shared versions 9.0.0-beta.10 through 9.14.4, 10.0.0-alpha.1 through 10.0.7, 11.0.0-beta.0 through 11.1.9 and 12.0.0-alpha.1 through 12.0.0-alpha.3, petite-vue-i18n and @intlify/vue-i18n-core versions 9.2.0-alpha.7 through 9.14.4, 10.0.0-alpha.1 through 10.0.7, 11.0.0-beta.0 through 11.1.9 and 12.0.0-alpha.1 through 12.0.0-alpha.3, @intlify/core-base versions 9.0.0-beta.12 through 9.14.4, 10.0.0-alpha.1 through 10.0.7, 11.0.0-beta.0 through 11.1.9 and 12.0.0-alpha.1 through 12.0.0-alpha.3 and vue-i18n versions 9.0.0-alpha.0 through 9.14.4, 10.0.0-alpha.1 through 10.0.7, 11.0.0-beta.0 through 11.1.9 and 12.0.0-alpha.1 through 12.0.0-alpha.3.