Does Vue, by default, provide security for or protects against XSS?
There is no built-in sanitizer in vue. As per Evan You's (Creator of Vue) comment on an issue
built-in sanitizer would add extra bundle weight for a rare use case (when most use cases of v-html are for trusted content); it is also trivial to add sanitize-html by setting Vue.prototype.$sanitize = sanitizeHTML and then do v-html="$sanitize(html)".
Check this post : https://github.com/vuejs/vue/issues/6333
One way to help protect against XSS, is to add a Content Security Policy in your html head. It works by restricting the resources (scripts, images) that a page can load and as well as restricting framing of your pages.
For example, the following directive only allow scripts to be loaded from the same origin as the page itself and "apis.google.com".
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://apis.google.com">
There are other CSP settings that can be used to help mitigate against XSS attacks such as nonces and hashes. For more information visit: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
More additional info than an answer: like mentioned in another post does sanitize-html have a drawback of a 327 KB weight. But there are smaller packages available:
To prevent XSS in our projects we are using vue-dompuritfy-html which has the bonus to cover the recommended eslint rule vue/no-v-html. After installing you can simply use
<div v-dompurify-html="htmlContent" />