Open Closed

Use of toastr Components with Known Vulnerabilities (XSS) #4779


User avatar
0
hamidsharifi created

Abp framework use toastr component as toaster to show messages. Our issue with the toastr is that it is deprecated and has XSS Vulnerability issue in high rate, you can check link: https://security.snyk.io/vuln/SNYK-JS-TOASTR-2396430. Do you have any plan to replace it with another toaster component? If not what is your suggestion to bypass this security issue?

  • ABP Framework version: v5.3.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: yes
  • Steps to reproduce the issue:
    • Open separated Idenitity project
    • Use Wappalyzer chrome addon

3 Answer(s)
  • User Avatar
    0
    mahmut.gundogdu created

    Are you sure your UI is angular? I have checked, and Angular does not use the Toastr library. MVC and blazor is used. I have redirect the issue MVC or Blazor team.

    or maybe that page is in the server side so you can use resource owner flow. https://docs.abp.io/en/abp/latest/UI/Angular/Authorization#resource-owner-password-flow

  • User Avatar
    0
    hamidsharifi created

    Hi Mahmut

    It is MVC the UI in Identity is using

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can use the high version of the package in package.json, and we will also upgrade it in the new version.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11