somewhat disturbing news about possible XSS in Vue