Hello!
We running an Angular 18 application using the Metronic theme and love it (we're running Metronic 8.2). However, we recently ran the project through SAST scan and it returned a number of vulnerabilities tied to
Basically, it's complaining in a number of places that innerHTML is getting set without explicitly sanitizing the content. For example, in /js/custom/apps/ecommerce/settings/settings.js, we're receiving the following High weakness based on the CWE above:
**Result message:** Unsanitized user input in dynamic HTML insertion (XSS)
**Snippet:**
``` span.innerHTML = template;```
**Rule name:** javascript_lang_dangerous_insert_html
**Rule full description:**
## Description
Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.
## Remediations
- **Do** use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
```javascript
import sanitizeHtml from 'sanitize-html';
const html = `${user.Input}`;
document.body.innerHTML = sanitizeHtml(html);
```
There are a number of similar items that arose based on unsanitized content. I was just wondering if this is something that will likely be addressed in a future release or roadmap.
Thanks!
@basket random Very impressed with your feedback.
Hi
Thank you for your feedback! We appreciate it. We'll prioritize addressing the issue and will work to fix it in an upcoming release.