0

Getting XSS vulnerabilities while accessing API call and accessing in HTML page. Tried with DOM sanitizer with url and Sanitized html as well, still getting XSS Cross site scripting issues. Tried with below way. Please correct me if anything is wrong and suggest me the solution.

const dataUrl = this.domSanitizer.sanitize(
      SecurityContext.RESOURCE_URL,
      this.domSanitizer.bypassSecurityTrustResourceUrl(
        'https://raw.githubusercontent.com/l-lin/angular-datatables/master/demo/src/data/data.json'
      )
    );

html:

   <td [innerHTML]="person.id | sanitizeHtml"></td>
   <td [innerHTML]="person.firstName | sanitizeHtml"></td>
   <td [innerHTML]="person.lastName | sanitizeHtml"></td>

Stackblitz

Rajasekhar
  • 2,215
  • 3
  • 23
  • 38
  • Is the typescript part you posted part of the sanitizeHtml pipe you're using in the html template? It's unclear to me how those code snippets are connected exactly and what the `person` object looks like. – ShamPooSham Oct 28 '21 at 19:59
  • And can you please share the exact error you're getting? – ShamPooSham Oct 28 '21 at 20:00

2 Answers2

0

Are these HTML type string you are putting in here? if they are normal string that don't contain HTML content then you should use the normal syntax with curly braces.

stackblitz

<td>{{ person.id }}</td>
<td>{{ person.firstName }}</td>
<td>{{ person.lastName }}</td>
DrakeAnglin
  • 718
  • 1
  • 4
  • 12
  • DrakeAnglin we used regular interpolation concept but we are getting Cross site scripting errors, so sanitizing the url and html code. – Rajasekhar Oct 28 '21 at 14:08
  • It may be the way you are getting the data. Are you using HttpClient to get the JSON? I have added a stack blitz to my answer and I am not getting any errors. – DrakeAnglin Oct 28 '21 at 19:53
-1

You can use innerText instead of innerHTML to solve this issue :).

Your HTML will look like this:

   <td [innerText]="person.id"></td>
   <td [innerText]="person.firstName"></td>
   <td [innerText]="person.lastName"></td>
Felix
  • 1,337
  • 10
  • 10
  • if your going to do it this way, you may as interpolated syntax `{{ person.id }}`, this works but i don't know why you would use this method over the default interpolation. – DrakeAnglin Oct 28 '21 at 14:06