How can I help you?
Security Advisories in Syncfusion® EJ2 Controls
6 Feb 20262 minutes to read
Syncfusion places the highest priority on the security of its controls. All Essential JS 2 components undergo rigorous static code analysis using ESLint and the eslint-plugin-security plugin. Software composition analysis is performed with SOOS to detect and mitigate vulnerabilities in dependencies.
This page summarizes key security enhancements and fixes delivered in Syncfusion® Essential® JS2 controls for volume release.
Security Updates
The following security updates are available for Syncfusion® Essential® JS2 controls and are listed based on the release version.
2023 Volume 2 (v32.1.19) - June 21, 2023
The Content Security Policy for Syncfusion® controls has been enhanced by eliminating the usage of unsafe-eval directive. This ensures compliance with strict Content Security Policy (CSP) guidelines and improves the overall security of Syncfusion® controls.
Threat:
The unsafe-eval directive is a CSP directive that allows the use of eval(). This directive is used to execute the code from strings, which is a potential security risk.
Resolution:
Starting from the release (v32.1.19), Syncfusion® has removed the usage of the unsafe-eval directive in the CSP meta tag by implementing a function template approach for template properties. This change will prevent the execution of code from strings and further improve the overall security of Syncfusion® controls.
For more information about the Content Security Policy, refer to this documentation.
2019 Volume 4 (v17.4.39) - December 17, 2019
An HTML Sanitizer has been implemented to prevent cross-site scripting (XSS) attacks in Syncfusion® controls. This ensures that the data rendered in the controls is safe and secure.
Threat:
Cross-Site Scripting (XSS) is a vulnerability where attackers inject malicious code into a web application, typically using JavaScript, but it could also involve HTML or CSS. Some Syncfusion® controls accept user input values, including HTML strings.
Resolution:
To mitigate this threat, we have introduced the sanitize method in the Syncfusion® JavaScript base library. This method sanitizes user input HTML strings before rendering them in the control. We recommend utilizing this method to prevent Cross-Site Scripting vulnerabilities. For example, refer to the following code snippet.
import { SanitizeHtmlHelper } from '@syncfusion/ej2-base';
let html: string = '<script>alert("XSS");</script>';
let sanitizedHtml: string = SanitizeHtmlHelper.sanitize(html);Security Issue
If users discover any security issues or need assistance in resolving them with Syncfusion® controls, please contact us by creating a support ticket on our support site or by posting your query on Stack Overflow with the tag syncfusion-ej2.