Files
gil-wiki/reference/4.api/2.composables/use-head-safe.md
gil 5f664546cf feat: 위키 저장소 초기 커밋
- CLAUDE.md 운영 규칙
- wiki/ 정리된 지식 페이지 (Nuxt + Claude Code)
- raw/ 원본 자료
- reference/ Nuxt 4.x 공식 문서

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-13 00:31:51 +09:00

2.4 KiB

title, description, links
title description links
useHeadSafe The recommended way to provide head data with user input.
label icon to size
Source i-simple-icons-github https://github.com/unjs/unhead/blob/main/packages/vue/src/composables.ts xs

Usage

The useHeadSafe composable is a wrapper around the useHead composable that restricts the input to only allow safe values. This is the recommended way to manage head data when working with user input, as it prevents XSS attacks by sanitizing potentially dangerous attributes.

::warning When using useHeadSafe, potentially dangerous attributes like innerHTML in scripts or http-equiv in meta tags are automatically stripped out to prevent XSS attacks. Use this composable whenever you're working with user-generated content. ::

Type

export function useHeadSafe (input: MaybeComputedRef<HeadSafe>): void

Allowed Attributes

The following attributes are whitelisted for each head element type:

const WhitelistAttributes = {
  htmlAttrs: ['class', 'style', 'lang', 'dir'],
  bodyAttrs: ['class', 'style'],
  meta: ['name', 'property', 'charset', 'content', 'media'],
  noscript: ['textContent'],
  style: ['media', 'textContent', 'nonce', 'title', 'blocking'],
  script: ['type', 'textContent', 'nonce', 'blocking'],
  link: ['color', 'crossorigin', 'fetchpriority', 'href', 'hreflang', 'imagesrcset', 'imagesizes', 'integrity', 'media', 'referrerpolicy', 'rel', 'sizes', 'type'],
}

See @unhead/vue for more detailed types.

Parameters

input: A MaybeComputedRef<HeadSafe> object containing head data. You can pass all the same values as useHead, but only safe attributes will be rendered.

Return Values

This composable does not return any value.

Example

<script setup lang="ts">
// User-generated content that might contain malicious code
const userBio = ref('<script>alert("xss")<' + '/script>')

useHeadSafe({
  title: `User Profile`,
  meta: [
    {
      name: 'description',
      content: userBio.value, // Safely sanitized
    },
  ],
})
</script>

::read-more{to="https://unhead.unjs.io/docs/typescript/head/api/composables/use-head-safe" target="_blank"} Read more on the Unhead documentation. ::