createStreamableHead({ streamKey }) interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a script-injection sink.
useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps: // Current — vulnerable const HtmlEntityHex = /&#x([0-9a-f]{1,6});?/gi const HtmlEntityDec = /&#(\d{1,7});?/g The HTML5 specification imposes no limit on leading zeros in numeric character references. …
The link.href check in makeTagSafe (safe.ts, line 68-71) uses String.includes(), which is case-sensitive: if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } Browsers treat URI schemes case-insensitively. DATA:text/css,… is the same as data:text/css,… to the browser, but 'DATA:…'.includes('data:') returns false.
useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content.