Vulnerability Disclosure Contact

**MedAziz1** · March 20, 2019, 3:40pm

Hello,

Recently in a secure code review mandate for one of our clients, the GoSecure AppSec team found a vulnerability in Aurelia. We’re searching for a contact in the Aurelia team in order to disclose it.

Thank you

**constructor** · March 20, 2019, 5:00pm

Understanding that you can not disclose details, what severity rating would you give this vulnerability?

**fkleuver** · March 20, 2019, 5:25pm

I just reached out to you via PM @MedAziz1

**EisenbergEffect** · March 20, 2019, 11:43pm

Quick Update: For anyone watching this thread. We’re talking with @MedAziz1 presently. We’ll soon provide details of the vulnerability, as well as our remediatory actions, and what you can do in your codebase, if you are affected (and haven’t configured Aurelia to address the issue already).

**tomtomau** · April 8, 2019, 9:51am

Any idea of when we can expect a response on this?

**EisenbergEffect** · April 8, 2019, 12:35pm

I apologize to everyone here. I forgot to follow-up on this thread.

The concern that was raised was with Aurelia’s internal HTMLSanitizer. However, per our docs, we indicate that it’s only a dev version and should not be used in production. So, there’s not really a security issue. We’ve updated our docs to add further clarity and guidance on how to replace the sanitizer with a production-grade implementation. We’ve also shipped an update that prints a warning to the console when you use our sanitizer.

**tomtomau** · April 8, 2019, 8:33pm

Thanks Rob.

For those playing along at home, here are the referred docs: https://aurelia.io/docs/binding/basics#element-content

**huochunpeng** · April 10, 2019, 4:35am

@fkleuver the doc should provide code snippet to enable DOMPurify or sanitize-html. I mean copy-paste ready code snippet.

**Sayan751** · April 10, 2019, 7:47am

I have used sanitize-html package (justification: https://www.npmtrends.com/sanitize-html-vs-dompurify) to have a rather simplistic value converter.

import sanitizeHtml = require("sanitize-html");

export class SanitizeHtmlValueConverter {
  public toView(value: string) {
    return !!value ? sanitizeHtml(value) : "";
  }
}

And then used it as

<my-el innerhtml.bind="htmlString|sanitizeHtml"></my-el>

Is this good enough? Or am I missing something?

**Sayan751** · April 10, 2019, 8:00am

The similar approach also works with a custom Sanitizer class.

export class MyHtmlSanitizer extends HTMLSanitizer {
  public sanitize(input) {
    return !!input ? sanitizeHtml(input) : "";
  }
}

// and then register as 
aurelia.use.singleton(HTMLSanitizer, MyHtmlSanitizer)

However, I find the usage of a custom value converter to be less disruptive (limited scope).

**fkleuver** · May 15, 2019, 1:30pm

However, I find the usage of a custom value converter to be less disruptive (limited scope).

Actually @Sayan751, your approach of registering the custom Sanitizer class is exactly what that particular extension point was meant for. You could say it’s way it was intended to be used.

Put it this way: we’re not including a proper sanitizer by default because it would drag in a dependency of non-negligible size for something that most people don’t use. The default class is little more than a stub in that sense.
But if you do include such dependency, you might as well utilize it to the fullest by making it the default sanitizer. I cannot imagine many scenarios where you have the dependency included, but still want to use the framework default in a certain case.