-
-
Notifications
You must be signed in to change notification settings - Fork 623
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm audit warning for aurelia-framework - XSS vulnerability in default HTML sanitizer implementation #992
npm audit warning for aurelia-framework - XSS vulnerability in default HTML sanitizer implementation #992
Comments
Thank you for reporting this issue. We will be releasing a new minor version of the templating package, with a throw, instead of the current way of doing it. After that, we will be upgrading the min dependency requirement here. |
@bigopon Any ETA for the templating package security update? |
@josundt The release is already out with v1.14.0: https://github.com/aurelia/templating-resources/releases/tag/1.14.0. Edit: Just realized, there might be some further changes that are required. |
@Sayan751 I found that Even if the latest Maybe new releases of the upstream dependencies with bumped version constraint for
|
with Thanks @mroeling, @josundt for reporting & help resolving the issue & @Sayan751 for the discussion. Though I'm not sure how we should actually make npm aware of this. @mroeling can you have a check and update the status? |
Even though I'm happy to see this resolved, @bigopon are you sure you meant to tag me in here? :) |
@mroeling I think that's because you are credited in the reported vulnerability: GHSA-m6j2-v3gq-45r5. |
A, yes, I've contributed by adding I think the last line to the references :) Thanks for pointing that out. But I had nothing to do with the original findings. So no, I don't think I'm the appropriate person in this matter... Edit: I've sent the link to this thread to the raiser of the issue on the Aurelia forum. |
I've submitted a resolution at github/advisory-database#175 |
It's been merged github/advisory-database#175 This issue is resolved. Thanks everyone. |
@bigopon what's the official recommended way to fix the new error which is thrown is there a plugin you recommend for html sanitisation? I found this https://www.npmjs.com/package/@appex/aurelia-dompurify/v/0.5.0 but it's not been touched in a year. |
@milkshakeuk you can do the following: import { HTMLSanitizer } from 'aurelia-templating-resources'
import createDOMPurify from 'dompurify'
export function configure(aurelia) {
...
aurelia.container.registerSingleton(HTMLSanitizer, class MySanitizer {
constructor() {
this.purifier = createDOMPurify(window);
}
sanitize(html) {
return this.purifier.sanitize(dirty);
}
})
} |
Hi it is a bit disappointing this security fix has resulted in existing functionality to stop working without much warning. The docs also should provide the solution above to the error. |
A typescript version for the above
|
That last return line needs to be 'html' instead of 'dirty' right? |
I'm submitting a security vulnerability audit report
aurelia-framework 1.3.1
Please tell us about your environment:
Operating System:
Windows 11 (N/A)
Node Version:
16.14.1 (LTS)
NPM Version:
8.3.1 (LTS)
Aurelia CLI OR JSPM OR Webpack AND Version
N/A
Browser:
N/A
Language:
all
Current behavior:
When installing Aurelia 1 (
aurelia-framework
) usingnpm
, audit warnings are displayed, with reference to this vulnerability description.The Aurelia products developed by my company are not really affected since we have implemented our own improved Aurelia HTMLSanitizer package (stored on our internal npm repository). We use this as replacement for the default, limited sanitizer implementation included with
aurelia-framework
(as recommended in your documentation pages).Our sanitizer package is a pure ESM package that works both in browser AND node (using
jsdom
) environments, and it is configurable by "allow-listing" html element names/attributes per element type, and also inline CSS style properties...If it is of interest, I could ask if it is OK to make the source code for our sanitizer package public, so that you could review/test it.
Then we could discuss making the package public, or if you prefer dissecting the code to make it an integral part of the aurelia-framework source code, we could maybe "donate" the code for this purpose as well.
I would need some confirmations from management first though.
Whatever you prefer, I think something should be done to get rid of the vulnerability audit warnings.
Awaiting reply.
Expected/desired behavior:
Aurelia 1 should mitigate the vulnerability by including a better html sanitization feature to get rid of audit warnings when installed from npm repository.
The text was updated successfully, but these errors were encountered: