Comments (15)
@Sayan751 I found that [email protected]
actually is the version installed in my node_modules folder.
Still the the npm warning appears.
Even if the latest aurelia-templating-resources
release mitigates the problem, the reported vulnerability is for the aurelia-framework
package (Cross-site Scripting in aurelia-framework).
Maybe new releases of the upstream dependencies with bumped version constraint for aurelia-templating-resources
is required to resolve the npm warning?
aurelia-bootstrapper@bump
├ aurelia-templating-resources@^1.14.0
└ aurelia-framework@^bump
└ aurelia-templating@^bump
└ aurelia-templating-resources@^1.14.0
from framework.
@mroeling I think that's because you are credited in the reported vulnerability: GHSA-m6j2-v3gq-45r5.
A, yes, I've contributed by adding I think the last line to the references :) Thanks for pointing that out. But I had nothing to do with the original findings. So no, I don't think I'm the appropriate person in this matter...
Edit: I've sent the link to this thread to the raiser of the issue on the Aurelia forum.
from framework.
with [email protected]
and [email protected]
and [email protected]
, the reported vulnerability should be resolved.
Thanks @mroeling, @josundt for reporting & help resolving the issue & @Sayan751 for the discussion.
Though I'm not sure how we should actually make npm aware of this. @mroeling can you have a check and update the status?
from framework.
@milkshakeuk you can do the following:
main.js
import { HTMLSanitizer } from 'aurelia-templating-resources'
import createDOMPurify from 'dompurify'
export function configure(aurelia) {
...
aurelia.container.registerSingleton(HTMLSanitizer, class MySanitizer {
constructor() {
this.purifier = createDOMPurify(window);
}
sanitize(html) {
return this.purifier.sanitize(dirty);
}
})
}
from framework.
A typescript version for the above
import createDOMPurify from 'dompurify';
export class CustomHtmlSanitizer {
purifier: createDOMPurify.DOMPurifyI;
constructor() {
this.purifier = createDOMPurify(window);
}
sanitize(html: string | Node) {
return this.purifier.sanitize(html);
}
}
aurelia.container.registerSingleton(HTMLSanitizer, CustomHtmlSanitizer);
from framework.
Thank you for reporting this issue. We will be releasing a new minor version of the templating package, with a throw, instead of the current way of doing it. After that, we will be upgrading the min dependency requirement here.
from framework.
@bigopon Any ETA for the templating package security update?
from framework.
@josundt The release is already out with v1.14.0: https://github.com/aurelia/templating-resources/releases/tag/1.14.0. I think this issue can now be closed.
Edit: Just realized, there might be some further changes that are required.
from framework.
with
[email protected]
and[email protected]
and[email protected]
, the reported vulnerability should be resolved.Thanks @mroeling, @josundt for reporting & help resolving the issue & @Sayan751 for the discussion.
Though I'm not sure how we should actually make npm aware of this. @mroeling can you have a check and update the status?
Even though I'm happy to see this resolved, @bigopon are you sure you meant to tag me in here? :)
from framework.
@mroeling I think that's because you are credited in the reported vulnerability: GHSA-m6j2-v3gq-45r5.
from framework.
I've submitted a resolution at github/advisory-database#175
Will update here.
from framework.
It's been merged github/advisory-database#175
This issue is resolved. Thanks everyone.
from framework.
@bigopon what's the official recommended way to fix the new error which is thrown is there a plugin you recommend for html sanitisation? I found this https://www.npmjs.com/package/@appex/aurelia-dompurify/v/0.5.0 but it's not been touched in a year.
from framework.
Hi it is a bit disappointing this security fix has resulted in existing functionality to stop working without much warning. The docs also should provide the solution above to the error.
from framework.
Hi @jamesg1 , thanks for the suggestion. Glad you got it working for you. I'd also say that if you don't have any HTML from user, maybe no need to use a sanitizer.
For the doc, cc @Vheissu
from framework.
Related Issues (20)
- Many aurelia libraries are broken in iOS 16 HOT 47
- example link for codesandbox in README.md HOT 1
- Can somebody update dependencies, please? HOT 3
- using typescript targeting ES2022 (or newer likely) silently breaks @observable and @bindable (partially) HOT 5
- aurelia.use.developmentLogging(environment.debug ? 'debug' : 'warn'); is broken? HOT 5
- Building all public files to www folder
- set object that has observed properties breaks the observing system HOT 4
- Issue with compose element and composition
- Combination of `@dynamicOptions` and `primaryProperty` HOT 5
- Publish Aurelia project with visual studio 2017. HOT 1
- Allow better typing for module configuration HOT 4
- Upgrade gulp to v4.
- Staging a component for testing
- UI is not re-rendered when Set is used. HOT 5
- Binding Engine seems to strip CR from text HOT 1
- Component inheritance with bindings on the base doesn't work as expected
- Content of repeat for on tr tag rendered outside of tag HOT 1
- How to use aurelia in qiankun HOT 2
- Content editable div inside a parent div that has a mousedown event on it cannot be edited in Aurelia HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from framework.