Our SAST scanning has recently flagged a bunch of XSS issues. Are you aware of these issues/findings? Have they already been addressed in the latest release by chance? Thanks!!
Here's one example:
"Result message: Unsanitized user input in dynamic HTML insertion (XSS)
Snippet:
KTUtil.setHTML(the.element, the.options.content);
Rule name: javascript_lang_dangerous_insert_html
Rule full description:
Description
Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.
Remediations
- Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html'; const html = `<strong>${user.Input}</strong>`; document.body.innerHTML = sanitizeHtml(html);
References
- OWASP XSS explained
- https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html/
Files flagged
complaining about being too long, I'll reply to this post
7 Answer(s)
-
0
Files flagged 1
angular/gulpfile.js angular/src/assets/metronic/common/js/components/blockui.js angular/src/assets/metronic/common/js/components/dialog.js angular/src/assets/metronic/common/js/components/feedback.js angular/src/assets/metronic/themes/default/js/components/blockui.js angular/src/assets/metronic/themes/default/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/default/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/default/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/default/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/components/feedback.js angular/src/assets/metronic/themes/theme10/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme10/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme10/js/custom/apps/subscriptions/list/list.js angular/src/assets/metronic/themes/theme10/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme10/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/components/blockui.js angular/src/assets/metronic/themes/theme11/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme11/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme11/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme11/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/components/blockui.js angular/src/assets/metronic/themes/theme12/js/components/util.js angular/src/assets/metronic/themes/theme12/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme12/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme12/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme12/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/components/blockui.js angular/src/assets/metronic/themes/theme13/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme13/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/customers/listing/listing.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme13/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme13/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/components/blockui.js angular/src/assets/metronic/themes/theme2/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme2/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme2/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme2/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/components/blockui.js angular/src/assets/metronic/themes/theme3/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme3/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme3/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme3/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme4/js/components/blockui.js angular/src/assets/metronic/themes/theme4/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme4/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/settings/settings.js ...
-
0
Files flagged 2
angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme5/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme5/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/components/blockui.js angular/src/assets/metronic/themes/theme6/js/components/feedback.js angular/src/assets/metronic/themes/theme6/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme6/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme6/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme6/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme7/js/components/blockui.js angular/src/assets/metronic/themes/theme7/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme7/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme7/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme7/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme8/js/components/blockui.js angular/src/assets/metronic/themes/theme8/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme8/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme9/js/components/blockui.js angular/src/assets/metronic/themes/theme9/js/components/feedback.js angular/src/assets/metronic/themes/theme9/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme9/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme9/js/custom/pages/general/pos.js angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts
-
0
Hi @mdepouw,
We don't use these Metronic javascript files directly. I will take a look at the following classes.
angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts
-
0
what about angular/gulpfile.js? thanks!
-
0
Hi @mdepouw,
I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.
-
0
Hi @mdepouw,
I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.
Hello!
I'm following up on this on behalf of @mdepouw. Question for the support team regarding angular/src/shared/helpers/HtmlHelper.ts. This file is tripping https://cwe.mitre.org/data/definitions/79.html. When looking through the source code, I don't see any references to HtmlHelper.ts within the code base. Is there any reason we can't remove this file entirely?
-
0
Hi @mdepouw,
I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.
Hello again!
Another follow-up question. angular/src/shared/helpers/DomHelper.ts is also tripping https://cwe.mitre.org/data/definitions/79.html. This feels like a legitimate risk, as depending on what's passed into it, it could run malicious JavaScript code. The recommendation is to sanitize any HTML that is set based on dynamic data. Below is the code that is getting flagged. Is this something the ASP.NET Zero team plans to do based on the CWE above?
static createElement(tag: string, attributes: any[]): any { let el = document.createElement(tag); // tag needs to be sanitized for (let i = 0; i < attributes.length; i++) { let attribute = attributes[i]; el.setAttribute(attribute.key, attribute.value); // attribute.value needs to be sanitized } return el; }Thanks!
