search

carbon-design-system / carbon-components-vue

Vue implementation of the Carbon Design System
http://vue.carbondesignsystem.com
Apache License 2.0
608 stars 178 forks source link

AppScan reports issue with innerHTML #1541

Open davidnixon opened 11 months ago

davidnixon commented 11 months ago

This is a tricky one to fix dur to the testing required to make sure nothing is broken.

This affects _CvSvg and CvDatePicker. AppScan report "Insecure Use of InnerHTML or OuterHTML" This is a false positive report but it would be best to remove reference to innerHTML if possible.

In certain cases CvDatePicker, which is a wrapper around flatpicker, is removing white space from the innerHTML with

currentItem.innerHTML = currentItem.innerHTML.replace(/\s+/g, '');

This needs some testing to see if this can just be removed.

In _CvSvg the svg content is added to the component via innerHTML. There is probably a clearer way to do this.

github-actions[bot] commented 3 months ago

This issue has been marked as stale because it has required additional info or a response from the author for over 14 days. When you get the chance, please comment with the additional info requested. Otherwise, this issue will be closed in 14 days.

github-actions[bot] commented 2 months ago

This issue has been marked as stale because it has required additional info or a response from the author for over 14 days. When you get the chance, please comment with the additional info requested. Otherwise, this issue will be closed in 14 days.