Hello!

We running an Angular 18 application using the Metronic theme and love it (we're running Metronic 8.2). However, we recently ran the project through SAST scan and it returned a number of vulnerabilities tied to https://cwe.mitre.org/data/definitions/79.html.

Basically, it's complaining in a number of places that innerHTML is getting set without explicitly sanitizing the content. For example, in /js/custom/apps/ecommerce/settings/settings.js, we're receiving the following High weakness based on the CWE above:

Result message: Unsanitized user input in dynamic HTML insertion (XSS) Snippet: span.innerHTML = template; Rule name: javascript_lang_dangerous_insert_html Rule full description:

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediations

• Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.

  import sanitizeHtml from 'sanitize-html';
  
  const html = `<strong>${user.Input}</strong>`;
  document.body.innerHTML = sanitizeHtml(html);
  

There are a number of similar items that arose based on unsanitized content. I was just wondering if this is something that will likely be addressed in a future release or roadmap.

Thanks!