Hello!
We running an Angular 18 application using the Metronic theme and love it (we're running Metronic 8.2). However, we recently ran the project through SAST scan and it returned a number of vulnerabilities tied to https://cwe.mitre.org/data/definitions/79.html.
Basically, it's complaining in a number of places that innerHTML is getting set without explicitly sanitizing the content. For example, in /js/custom/apps/ecommerce/settings/settings.js, we're receiving the following High weakness based on the CWE above:
**Result message:** Unsanitized user input in dynamic HTML insertion (XSS)
**Snippet:**
``` span.innerHTML = template;```
**Rule name:** javascript_lang_dangerous_insert_html
**Rule full description:**
## Description
Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.
## Remediations
- **Do** use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
```javascript
import sanitizeHtml from 'sanitize-html';
const html = `${user.Input}`;
document.body.innerHTML = sanitizeHtml(html);
```
There are a number of similar items that arose based on unsanitized content. I was just wondering if this is something that will likely be addressed in a future release or roadmap.
Thanks!
Hi
Thank you for your feedback! We appreciate it. We'll prioritize addressing the issue and will work to fix it in an upcoming release.