Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Unsanitized user input in dynamic HTML insertion (XSS) #12165

User avatar
0
mdepouw created

Our SAST scanning has recently flagged a bunch of XSS issues. Are you aware of these issues/findings? Have they already been addressed in the latest release by chance? Thanks!!

Here's one example:

"Result message: Unsanitized user input in dynamic HTML insertion (XSS) Snippet: KTUtil.setHTML(the.element, the.options.content); Rule name: javascript_lang_dangerous_insert_html Rule full description:

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediations

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts. 
    import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

References

  • OWASP XSS explained
  • https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html/

Files flagged

complaining about being too long, I'll reply to this post

Go to accepted answer
7 Answer(s)
  • User Avatar
    0
    mdepouw created

    Files flagged 1

    angular/gulpfile.js angular/src/assets/metronic/common/js/components/blockui.js angular/src/assets/metronic/common/js/components/dialog.js angular/src/assets/metronic/common/js/components/feedback.js angular/src/assets/metronic/themes/default/js/components/blockui.js angular/src/assets/metronic/themes/default/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/default/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/default/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/default/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/components/feedback.js angular/src/assets/metronic/themes/theme10/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme10/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme10/js/custom/apps/subscriptions/list/list.js angular/src/assets/metronic/themes/theme10/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme10/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/components/blockui.js angular/src/assets/metronic/themes/theme11/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme11/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme11/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme11/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/components/blockui.js angular/src/assets/metronic/themes/theme12/js/components/util.js angular/src/assets/metronic/themes/theme12/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme12/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme12/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme12/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/components/blockui.js angular/src/assets/metronic/themes/theme13/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme13/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/customers/listing/listing.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme13/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme13/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/components/blockui.js angular/src/assets/metronic/themes/theme2/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme2/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme2/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme2/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/components/blockui.js angular/src/assets/metronic/themes/theme3/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme3/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme3/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme3/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme4/js/components/blockui.js angular/src/assets/metronic/themes/theme4/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme4/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/settings/settings.js ...

  • User Avatar
    0
    mdepouw created

    Files flagged 2

    angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme5/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme5/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/components/blockui.js angular/src/assets/metronic/themes/theme6/js/components/feedback.js angular/src/assets/metronic/themes/theme6/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme6/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme6/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme6/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme7/js/components/blockui.js angular/src/assets/metronic/themes/theme7/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme7/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme7/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme7/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme8/js/components/blockui.js angular/src/assets/metronic/themes/theme8/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme8/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme9/js/components/blockui.js angular/src/assets/metronic/themes/theme9/js/components/feedback.js angular/src/assets/metronic/themes/theme9/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme9/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme9/js/custom/pages/general/pos.js angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @mdepouw,

    We don't use these Metronic javascript files directly. I will take a look at the following classes.

    angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts

    1
  • User Avatar
    0
    mdepouw created

    what about angular/gulpfile.js? thanks!

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @mdepouw,

    I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.

  • User Avatar
    0
    gtewksbury created

    Hi @mdepouw,

    I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.

    Hello!

    I'm following up on this on behalf of @mdepouw. Question for the support team regarding angular/src/shared/helpers/HtmlHelper.ts. This file is tripping https://cwe.mitre.org/data/definitions/79.html. When looking through the source code, I don't see any references to HtmlHelper.ts within the code base. Is there any reason we can't remove this file entirely?

  • User Avatar
    0
    gtewksbury created

    Hi @mdepouw,

    I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.

    Hello again!

    Another follow-up question. angular/src/shared/helpers/DomHelper.ts is also tripping https://cwe.mitre.org/data/definitions/79.html. This feels like a legitimate risk, as depending on what's passed into it, it could run malicious JavaScript code. The recommendation is to sanitize any HTML that is set based on dynamic data. Below is the code that is getting flagged. Is this something the ASP.NET Zero team plans to do based on the CWE above?

    static createElement(tag: string, attributes: any[]): any {
    let el = document.createElement(tag); // tag needs to be sanitized
    for (let i = 0; i < attributes.length; i++) {
        let attribute = attributes[i];
        el.setAttribute(attribute.key, attribute.value); // attribute.value needs to be sanitized
    }

    return el;
}

    Thanks!

Assignee
No one
Labels
None yet