See https://github.com/kadai-io/kadai/security/code-scanning/59 and https://sonarcloud.io/project/issues?impactSoftwareQualities=SECURITY&issueStatuses=OPEN%2CCONFIRMED&pullRequest=1972&id=kadai-io_kadai&open=AZ69aPCawhkEO4EgjFmu
When navigating to Workplace and selecting a ready Task to work on, there is in the Task Processing component of our application an iframe.
This iframe points to a URL which is defined through user input (classification.applicationEntryPoint), and falls back to Bing if nothing is defined.
Thus, we need to disable Angular sanitization to let the user navigate to the desired URL.
However, an iframe with user defined input is a common vector attack for Cross-Site Scripting (XSS, see also https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss).
In KADAI we want to integrate other frontends when processing tasks. Perhaps we should discuss if there is a better way to do it than using an iframe with user input URL.

See https://github.com/kadai-io/kadai/security/code-scanning/59 and https://sonarcloud.io/project/issues?impactSoftwareQualities=SECURITY&issueStatuses=OPEN%2CCONFIRMED&pullRequest=1972&id=kadai-io_kadai&open=AZ69aPCawhkEO4EgjFmu
When navigating to Workplace and selecting a ready Task to work on, there is in the Task Processing component of our application an iframe.
This iframe points to a URL which is defined through user input (classification.applicationEntryPoint), and falls back to Bing if nothing is defined.
Thus, we need to disable Angular sanitization to let the user navigate to the desired URL.
However, an iframe with user defined input is a common vector attack for Cross-Site Scripting (XSS, see also https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss).
In KADAI we want to integrate other frontends when processing tasks. Perhaps we should discuss if there is a better way to do it than using an iframe with user input URL.