I'm submitting a security vulnerability audit report
- Library Version:
aurelia-framework 1.3.1
Please tell us about your environment:
-
Operating System:
Windows 11 (N/A)
-
Node Version:
16.14.1 (LTS)
-
NPM Version:
8.3.1 (LTS)
-
Aurelia CLI OR JSPM OR Webpack AND Version
N/A
-
Browser:
N/A
-
Language:
all
Current behavior:
When installing Aurelia 1 (aurelia-framework) using npm, audit warnings are displayed, with reference to this vulnerability description.
The Aurelia products developed by my company are not really affected since we have implemented our own improved Aurelia HTMLSanitizer package (stored on our internal npm repository). We use this as replacement for the default, limited sanitizer implementation included with aurelia-framework (as recommended in your documentation pages).
Our sanitizer package is a pure ESM package that works both in browser AND node (using jsdom) environments, and it is configurable by "allow-listing" html element names/attributes per element type, and also inline CSS style properties...
const options: HtmlSanitizerOptions = {
htmlAllow: {
p: [ "style" ]
},
cssAllow: [
"text-align"
]
};If it is of interest, I could ask if it is OK to make the source code for our sanitizer package public, so that you could review/test it.
Then we could discuss making the package public, or if you prefer dissecting the code to make it an integral part of the aurelia-framework source code, we could maybe "donate" the code for this purpose as well.
I would need some confirmations from management first though.
Whatever you prefer, I think something should be done to get rid of the vulnerability audit warnings.
Awaiting reply.
Expected/desired behavior:
Aurelia 1 should mitigate the vulnerability by including a better html sanitization feature to get rid of audit warnings when installed from npm repository.
I'm submitting a security vulnerability audit report
aurelia-framework 1.3.1
Please tell us about your environment:
Operating System:
Windows 11 (N/A)
Node Version:
16.14.1 (LTS)
NPM Version:
8.3.1 (LTS)
Aurelia CLI OR JSPM OR Webpack AND Version
N/A
Browser:
N/A
Language:
all
Current behavior:
When installing Aurelia 1 (
aurelia-framework) usingnpm, audit warnings are displayed, with reference to this vulnerability description.The Aurelia products developed by my company are not really affected since we have implemented our own improved Aurelia HTMLSanitizer package (stored on our internal npm repository). We use this as replacement for the default, limited sanitizer implementation included with
aurelia-framework(as recommended in your documentation pages).Our sanitizer package is a pure ESM package that works both in browser AND node (using
jsdom) environments, and it is configurable by "allow-listing" html element names/attributes per element type, and also inline CSS style properties...If it is of interest, I could ask if it is OK to make the source code for our sanitizer package public, so that you could review/test it.
Then we could discuss making the package public, or if you prefer dissecting the code to make it an integral part of the aurelia-framework source code, we could maybe "donate" the code for this purpose as well.
I would need some confirmations from management first though.
Whatever you prefer, I think something should be done to get rid of the vulnerability audit warnings.
Awaiting reply.
Expected/desired behavior:
Aurelia 1 should mitigate the vulnerability by including a better html sanitization feature to get rid of audit warnings when installed from npm repository.