npm audit warning for aurelia-framework - XSS vulnerability in default HTML sanitizer implementation about framework HOT 15 CLOSED

@Sayan751 I found that [email protected] actually is the version installed in my node_modules folder.
Still the the npm warning appears.

Even if the latest aurelia-templating-resources release mitigates the problem, the reported vulnerability is for the aurelia-framework package (Cross-site Scripting in aurelia-framework).

Maybe new releases of the upstream dependencies with bumped version constraint for aurelia-templating-resources is required to resolve the npm warning?

aurelia-bootstrapper@bump
├ aurelia-templating-resources@^1.14.0
└ aurelia-framework@^bump
  └ aurelia-templating@^bump
    └ aurelia-templating-resources@^1.14.0

from framework.

@mroeling I think that's because you are credited in the reported vulnerability: GHSA-m6j2-v3gq-45r5.

A, yes, I've contributed by adding I think the last line to the references :) Thanks for pointing that out. But I had nothing to do with the original findings. So no, I don't think I'm the appropriate person in this matter...

Edit: I've sent the link to this thread to the raiser of the issue on the Aurelia forum.

from framework.

with [email protected] and [email protected] and [email protected], the reported vulnerability should be resolved.

Thanks @mroeling, @josundt for reporting & help resolving the issue & @Sayan751 for the discussion.

Though I'm not sure how we should actually make npm aware of this. @mroeling can you have a check and update the status?

from framework.

@milkshakeuk you can do the following:
main.js

import { HTMLSanitizer } from 'aurelia-templating-resources'
import createDOMPurify from 'dompurify'

export function configure(aurelia) {
  ...
  aurelia.container.registerSingleton(HTMLSanitizer, class MySanitizer {
    constructor() {
      this.purifier = createDOMPurify(window);
    } 
    sanitize(html) {
      return this.purifier.sanitize(dirty);
    }
  })
}

from framework.

A typescript version for the above

 import createDOMPurify from 'dompurify';
export class CustomHtmlSanitizer {
  purifier: createDOMPurify.DOMPurifyI;

  constructor() {
    this.purifier = createDOMPurify(window);
  }
  sanitize(html: string | Node) {
    return this.purifier.sanitize(html);
  }
}

aurelia.container.registerSingleton(HTMLSanitizer, CustomHtmlSanitizer);

from framework.

Thank you for reporting this issue. We will be releasing a new minor version of the templating package, with a throw, instead of the current way of doing it. After that, we will be upgrading the min dependency requirement here.

from framework.

@bigopon Any ETA for the templating package security update?

from framework.

@josundt The release is already out with v1.14.0: https://github.com/aurelia/templating-resources/releases/tag/1.14.0. I think this issue can now be closed.

Edit: Just realized, there might be some further changes that are required.

from framework.

with [email protected] and [email protected] and [email protected], the reported vulnerability should be resolved.

Thanks @mroeling, @josundt for reporting & help resolving the issue & @Sayan751 for the discussion.

Though I'm not sure how we should actually make npm aware of this. @mroeling can you have a check and update the status?

Even though I'm happy to see this resolved, @bigopon are you sure you meant to tag me in here? :)

from framework.

@mroeling I think that's because you are credited in the reported vulnerability: GHSA-m6j2-v3gq-45r5.

from framework.

I've submitted a resolution at github/advisory-database#175
Will update here.

from framework.

It's been merged github/advisory-database#175

This issue is resolved. Thanks everyone.

from framework.

@bigopon what's the official recommended way to fix the new error which is thrown is there a plugin you recommend for html sanitisation? I found this https://www.npmjs.com/package/@appex/aurelia-dompurify/v/0.5.0 but it's not been touched in a year.

from framework.

Hi it is a bit disappointing this security fix has resulted in existing functionality to stop working without much warning. The docs also should provide the solution above to the error.

from framework.

Hi @jamesg1 , thanks for the suggestion. Glad you got it working for you. I'd also say that if you don't have any HTML from user, maybe no need to use a sanitizer.
For the doc, cc @Vheissu

from framework.