Veracode pointing out vulnerabilities in Angular 15 when using innerHTML with DomSanitizer

127 Views Asked by Jake At 04 April 2025 at 23:54

I have the following code in Angular 15, where we print an HTML response coming from an API:

HTML:

 <div [innerHTML]="htmlResponse | safe: 'html'"></div>

TS:

import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer, SafeHtml, SafeStyle, SafeScript, SafeUrl, SafeResourceUrl } from '@angular/platform-browser';

@Pipe({
  name: 'safe'
})
export class SafePipe implements PipeTransform {

  constructor(protected sanitizer: DomSanitizer) {}
 
 public transform(value: any, type: string): SafeHtml | SafeStyle | SafeScript | SafeUrl | SafeResourceUrl {
    switch (type) {
            case 'html': return this.sanitizer.bypassSecurityTrustHtml(value);
            case 'style': return this.sanitizer.bypassSecurityTrustStyle(value);
            case 'script': return this.sanitizer.bypassSecurityTrustScript(value);
            case 'url': return this.sanitizer.bypassSecurityTrustUrl(value);
            case 'resourceUrl': return this.sanitizer.bypassSecurityTrustResourceUrl(value);
            default: throw new Error(`Invalid safe type specified: ${type}`);
        }
  }
}

Veracode vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

What can we do to fix this issue?

Original Q&A

Veracode pointing out vulnerabilities in Angular 15 when using innerHTML with DomSanitizer

There are 0 best solutions below

Related Questions in ANGULAR

Related Questions in VERACODE

Trending Questions

Popular # Hahtags

Popular Questions