Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component: Table may have Trusted Types incompatibilities from .innerHTML assignment #16153

Closed
aaronshim opened this issue Aug 1, 2024 · 0 comments · Fixed by #16154
Closed

Component: Table may have Trusted Types incompatibilities from .innerHTML assignment #16153

aaronshim opened this issue Aug 1, 2024 · 0 comments · Fixed by #16154
Labels
LTS-PORTABLE Issue's fix will be ported to supported LTS versions Type: Bug Issue contains a bug related to a specific component. Something about the component is not working Type: Security Issue contains a security problem or enhancement related to a specific component
Milestone
17.18.8

Comments

@aaronshim
Copy link
Contributor

Describe the bug

When running with Trusted Types enforcement, the .innerHTML assignment in table.ts may fail.

The values being assigned to .innerHTML in this component are all just styles, so we don't need to treat it as markup or use the more dangerous DOM sink assignment .innerHTML-- as a matter of fact, keeping the assignment as .innerHTML may hide potential DOM XSS through this callsite. We propose changing this assignment to .textContent as suggested in https://web.dev/articles/trusted-types#rewrite.

Environment

Browsers that are sending the header Content-Security-Policy: require-trusted-types-for 'script'; ...

Reproducer

No response

Angular version

all

PrimeNG version

all

Build / Runtime

Angular CLI App

Language

TypeScript

Node version (for AoT issues node --version)

all

Browser(s)

Chromium and Chromium based

Steps to reproduce the behavior

No response

Expected behavior

No response
@aaronshim aaronshim added the Status: Needs Triage Issue will be reviewed by Core Team and a relevant label will be added as soon as possible label Aug 1, 2024
@aaronshim aaronshim mentioned this issue Aug 1, 2024
Merged
@cetincakiroglu cetincakiroglu added this to the 17.18.8 milestone Aug 8, 2024
@cetincakiroglu cetincakiroglu added Type: Bug Issue contains a bug related to a specific component. Something about the component is not working LTS-PORTABLE Issue's fix will be ported to supported LTS versions Type: Security Issue contains a security problem or enhancement related to a specific component and removed Status: Needs Triage Issue will be reviewed by Core Team and a relevant label will be added as soon as possible labels Aug 8, 2024
@aaronshim aaronshim mentioned this issue Aug 12, 2024
Closed
@ymg2006 ymg2006 mentioned this issue Aug 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LTS-PORTABLE Issue's fix will be ported to supported LTS versions Type: Bug Issue contains a bug related to a specific component. Something about the component is not working Type: Security Issue contains a security problem or enhancement related to a specific component
Projects
None yet
Milestone
17.18.8
Development

Successfully merging a pull request may close this issue.

Change .innerHTML assignments in table.ts to .textContent aaronshim/primeng
3 participants
@aaronshim @cetincakiroglu @mehmetcetin01140