Skip to content

Angular built-in sanitization should not be disabled #2012

Description

@CRoberto1926

See https://github.com/kadai-io/kadai/security/code-scanning/59 and https://sonarcloud.io/project/issues?impactSoftwareQualities=SECURITY&issueStatuses=OPEN%2CCONFIRMED&pullRequest=1972&id=kadai-io_kadai&open=AZ69aPCawhkEO4EgjFmu


When navigating to Workplace and selecting a ready Task to work on, there is in the Task Processing component of our application an iframe.
This iframe points to a URL which is defined through user input (classification.applicationEntryPoint), and falls back to Bing if nothing is defined.
Thus, we need to disable Angular sanitization to let the user navigate to the desired URL.

However, an iframe with user defined input is a common vector attack for Cross-Site Scripting (XSS, see also https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss).

In KADAI we want to integrate other frontends when processing tasks. Perhaps we should discuss if there is a better way to do it than using an iframe with user input URL.

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    frontendSomething in the frontend

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions