Hello!
Question for the support team regarding angular/src/shared/helpers/HtmlHelper.ts. This file is tripping https://cwe.mitre.org/data/definitions/79.html. When looking through the source code, I don't see any references to HtmlHelper.ts within the code base. Is there any reason we can't remove this file entirely?
Also angular/src/shared/helpers/DomHelper.ts is also tripping https://cwe.mitre.org/data/definitions/79.html. This feels like a legitimate risk, as depending on what's passed into it, it could run malicious JavaScript code. The recommendation is to sanitize any HTML that is set based on dynamic data. Below is the code that is getting flagged. Is this something the ASP.NET Zero team plans to do based on the CWE above?
static createElement(tag: string, attributes: any[]): any { let el = document.createElement(tag); // tag needs to be sanitized for (let i = 0; i < attributes.length; i++) { let attribute = attributes[i]; el.setAttribute(attribute.key, attribute.value); // attribute.value needs to be sanitized }
return el;
}
Thanks!
Hi @mdepouw,
I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.
Hello again!
Another follow-up question. angular/src/shared/helpers/DomHelper.ts is also tripping https://cwe.mitre.org/data/definitions/79.html. This feels like a legitimate risk, as depending on what's passed into it, it could run malicious JavaScript code. The recommendation is to sanitize any HTML that is set based on dynamic data. Below is the code that is getting flagged. Is this something the ASP.NET Zero team plans to do based on the CWE above?
static createElement(tag: string, attributes: any[]): any {
let el = document.createElement(tag); // tag needs to be sanitized
for (let i = 0; i < attributes.length; i++) {
let attribute = attributes[i];
el.setAttribute(attribute.key, attribute.value); // attribute.value needs to be sanitized
}
return el;
}
Thanks!
Hi @mdepouw,
I don't think these will cause a security breach. But we will check the files you reported, thank you for your feedback.
Hello!
I'm following up on this on behalf of @mdepouw. Question for the support team regarding angular/src/shared/helpers/HtmlHelper.ts. This file is tripping https://cwe.mitre.org/data/definitions/79.html. When looking through the source code, I don't see any references to HtmlHelper.ts within the code base. Is there any reason we can't remove this file entirely?
Hello, I wanted to follow up on this item.
Our security team is asking for a definitive list of ALL information stored in local storage and it's purpose. Can you please provide a list of ALL objects stored in local storage and the purpose of each object? We're also using v13.2.
Thank you!
Geoff