Christmas Sale! Limited Time Only - Enjoy 30% Off Metronic Extended License!
Buy for 669$  969$

CWE-79 - Unsanitized Content


Hello!

We running an Angular 18 application using the Metronic theme and love it (we're running Metronic 8.2). However, we recently ran the project through SAST scan and it returned a number of vulnerabilities tied to https://cwe.mitre.org/data/definitions/79.html.

Basically, it's complaining in a number of places that innerHTML is getting set without explicitly sanitizing the content. For example, in /js/custom/apps/ecommerce/settings/settings.js, we're receiving the following High weakness based on the CWE above:

**Result message:** Unsanitized user input in dynamic HTML insertion (XSS)
**Snippet:**
``` span.innerHTML = template;```
**Rule name:** javascript_lang_dangerous_insert_html
**Rule full description:**
## Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

## Remediations

- **Do** use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
```javascript
import sanitizeHtml from 'sanitize-html';

const html = `${user.Input}`;
document.body.innerHTML = sanitizeHtml(html);
```
There are a number of similar items that arose based on unsanitized content. I was just wondering if this is something that will likely be addressed in a future release or roadmap.

Thanks!


Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(

Replies (2)


@basket random Very impressed with your feedback.



Hi

Thank you for your feedback! We appreciate it. We'll prioritize addressing the issue and will work to fix it in an upcoming release.


Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(
Text formatting options
Submit
Here's a how to add some HTML formatting to your comment:
  • <pre></pre> for JS codes block
  • <pre lang="html"></pre> for HTML code block
  • <pre lang="scss"></pre> for SCSS code block
  • <pre lang="php"></pre> for PHP code block
  • <code></code> for single line of code
  • <strong></strong> to make things bold
  • <em></em> to emphasize
  • <ul><li></li></ul>  to make list
  • <ol><li></li></ol>  to make ordered list
  • <h3></h3> to make headings
  • <a></a> for links
  • <img> to paste in an image
  • <blockquote></blockquote> to quote somebody
  • happy  :)
  • shocked  :|
  • sad  :(