v0.9.6

• fix(xss) drop non-raw on handles and innerHTML (#124)
• fix: warn script children usage (#123)

v0.9.5

• chore: bump zhead
• fix: simpler logic for removing added head objs (#122)

v0.9.4

• chore: make optional id
• fix: safer removal of objects using hash
• fix: dedupe title

v0.9.3

• fix: remove head objects at right index

v0.9.2

• chore: bump zhead schema

v0.9.1

• chore(doc): fix typo
• Merge branch 'main' of github.com:vueuse/head into main
• feat: debounce dom update (#120)

v0.9.0

• fix: return remove fn from addHeadObj, fixes #48
• feat: useHeadRaw to bypass XSS protections (#118)
• fix(ssr): encode children, href and url more appropriately (#119)

⚠️ Breaking Changes

Event attributes no longer allowed

Warning, you must use useHeadRaw to set event listeners.

Providing on event attributes with useHead is no longer allowed and will throw a warning, this is to avoid unexpected XSS. You will need to use useHeadRaw

New Syntax:

useHeadRaw({
  htmlAttrs: {
    onfocus: 'console.log(\'focused\')
  }
})

script tags with children will no longer work with useHead

Warning, you must use useHeadRaw with innerHTML for script content.

Previously you could render scripts server-side correctly without encoding. This was an XSS issue, you should now use the following syntax:

useHeadRaw({
  script: [
    {
      innerHTML: 'console.log(\'my script!\')
    }
  ]
})

v0.8.2

v0.8.2

v0.8.1

• chore: bump dependencies (#116)
• feat: hook into resolved tags hookTagsResolved (#115)
• refactor: improve HeadAugmentation types and add export

v0.8.0

What's Changed

• feat: support deprecated dedupe keys by @harlan-zw in #106
• feat: computed getter support by @harlan-zw in #110
• feat: before dom update hookable by @harlan-zw in #114

Full Changelog: v0.7.13...v0.8.0