Base solution for your next web application
Open Closed

Unsanitized user input in dynamic HTML insertion (XSS) #12165

User avatar
0
mdepouw created

Our SAST scanning has recently flagged a bunch of XSS issues. Are you aware of these issues/findings? Have they already been addressed in the latest release by chance? Thanks!!

Here's one example:

"Result message: Unsanitized user input in dynamic HTML insertion (XSS) Snippet: KTUtil.setHTML(the.element, the.options.content); Rule name: javascript_lang_dangerous_insert_html Rule full description:

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediations

  • Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts. 
    import sanitizeHtml from 'sanitize-html';

const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);

References

  • OWASP XSS explained
  • https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html/

Files flagged

complaining about being too long, I'll reply to this post

Go to accepted answer
5 Answer(s)
  • User Avatar
    0
    mdepouw created

    Files flagged 1

    angular/gulpfile.js angular/src/assets/metronic/common/js/components/blockui.js angular/src/assets/metronic/common/js/components/dialog.js angular/src/assets/metronic/common/js/components/feedback.js angular/src/assets/metronic/themes/default/js/components/blockui.js angular/src/assets/metronic/themes/default/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/default/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/default/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/default/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/default/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/default/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/default/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/components/feedback.js angular/src/assets/metronic/themes/theme10/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme10/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme10/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme10/js/custom/apps/subscriptions/list/list.js angular/src/assets/metronic/themes/theme10/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme10/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme10/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme10/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/components/blockui.js angular/src/assets/metronic/themes/theme11/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme11/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme11/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme11/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme11/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme11/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme11/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/components/blockui.js angular/src/assets/metronic/themes/theme12/js/components/util.js angular/src/assets/metronic/themes/theme12/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme12/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme12/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme12/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme12/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme12/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme12/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/components/blockui.js angular/src/assets/metronic/themes/theme13/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme13/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/customers/listing/listing.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme13/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme13/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme13/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme13/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme13/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/components/blockui.js angular/src/assets/metronic/themes/theme2/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme2/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme2/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme2/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme2/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme2/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme2/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/components/blockui.js angular/src/assets/metronic/themes/theme3/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme3/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme3/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme3/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme3/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme3/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme3/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme4/js/components/blockui.js angular/src/assets/metronic/themes/theme4/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme4/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme4/js/custom/apps/ecommerce/settings/settings.js ...

  • User Avatar
    0
    mdepouw created

    Files flagged 2

    angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme5/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme5/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme5/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme5/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme5/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/components/blockui.js angular/src/assets/metronic/themes/theme6/js/components/feedback.js angular/src/assets/metronic/themes/theme6/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme6/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme6/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme6/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme6/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/authentication/sign-up/coming-soon.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme6/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme7/js/components/blockui.js angular/src/assets/metronic/themes/theme7/js/custom/account/referrals/referral-program.js angular/src/assets/metronic/themes/theme7/js/custom/apps/contacts/edit-contact.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/catalog/save-product.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/sales/save-order.js angular/src/assets/metronic/themes/theme7/js/custom/apps/ecommerce/settings/settings.js angular/src/assets/metronic/themes/theme7/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme7/js/custom/pages/social/feeds.js angular/src/assets/metronic/themes/theme7/js/custom/utilities/modals/select-location.js angular/src/assets/metronic/themes/theme8/js/components/blockui.js angular/src/assets/metronic/themes/theme8/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme8/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/general/pos.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/pages/pricing/general.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/share-earn.js angular/src/assets/metronic/themes/theme8/js/custom/utilities/modals/upgrade-plan.js angular/src/assets/metronic/themes/theme9/js/components/blockui.js angular/src/assets/metronic/themes/theme9/js/components/feedback.js angular/src/assets/metronic/themes/theme9/js/custom/apps/support-center/general.js angular/src/assets/metronic/themes/theme9/js/custom/apps/user-management/users/list/table.js angular/src/assets/metronic/themes/theme9/js/custom/pages/general/pos.js angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @mdepouw,

    We don't use these Metronic javascript files directly. I will take a look at the following classes.

    angular/src/root.module.ts angular/src/shared/helpers/DomHelper.ts angular/src/shared/helpers/HtmlHelper.ts

    1
  • User Avatar
    0
    mdepouw created

    what about angular/gulpfile.js? thanks!

  • User Avatar
    0
    m.aliozkaya created
    Support Team

    Hi @mdepouw,

    I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.

Assignee
No one
Labels
Non yet