Hello!
Question for the support team regarding angular/src/shared/helpers/HtmlHelper.ts. This file is tripping https://cwe.mitre.org/data/definitions/79.html. When looking through the source code, I don't see any references to HtmlHelper.ts within the code base. Is there any reason we can't remove this file entirely?
Also angular/src/shared/helpers/DomHelper.ts is also tripping https://cwe.mitre.org/data/definitions/79.html. This feels like a legitimate risk, as depending on what's passed into it, it could run malicious JavaScript code. The recommendation is to sanitize any HTML that is set based on dynamic data. Below is the code that is getting flagged. Is this something the ASP.NET Zero team plans to do based on the CWE above?
static createElement(tag: string, attributes: any[]): any { let el = document.createElement(tag); // tag needs to be sanitized for (let i = 0; i < attributes.length; i++) { let attribute = attributes[i]; el.setAttribute(attribute.key, attribute.value); // attribute.value needs to be sanitized }
return el;
}
Thanks!
1 Answer(s)
-
0
Hi @gtewksbury
Sorry for the late reply. These classes are accessed by developers and not end users, so I think it doesn't cause any issues. But, we will remove
HtmlHelperand try to replaceDomHelperwith an alternative if possible. You can follow https://github.com/aspnetzero/aspnet-zero-core/issues/5434
