Skip to content

fix(notification): sanitize toast innerHTML inputs#3238

Open
Lavn1sh wants to merge 1 commit intocarbon-design-system:masterfrom
Lavn1sh:fix/sanitize-toast-innerhtml
Open

fix(notification): sanitize toast innerHTML inputs#3238
Lavn1sh wants to merge 1 commit intocarbon-design-system:masterfrom
Lavn1sh:fix/sanitize-toast-innerhtml

Conversation

@Lavn1sh
Copy link
Copy Markdown

@Lavn1sh Lavn1sh commented Feb 5, 2026

Closes carbon-design-system/carbon-components-angular#

Summary

Toast notifications bind title, subtitle, and caption via innerHTML.
This change sanitizes those inputs at the component boundary to prevent XSS
when values originate from untrusted sources.

Changelog

Changed

  • Sanitized title, subtitle, and caption inputs using Angular
    DomSanitizer.sanitize(SecurityContext.HTML, …) before binding to innerHTML

Removed

  • None

Additional context

Reference: https://tracker.ceph.com/issues/74770

@Lavn1sh Lavn1sh requested a review from a team as a code owner February 5, 2026 15:49
@netlify
Copy link
Copy Markdown

netlify Bot commented Feb 5, 2026
edited
Loading

Deploy Preview for carbon-components-angular failed.

Name Link
🔨 Latest commit dfc7e35
🔍 Latest deploy log https://app.netlify.com/projects/carbon-components-angular/deploys/6984bbfc4bd2c60008c02e42

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 5, 2026
edited
Loading

DCO Assistant Lite bot All contributors have signed the DCO.

@Lavn1sh
Copy link
Copy Markdown
Author

Lavn1sh commented Feb 5, 2026

I have read the DCO document and I hereby sign the DCO.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Lavn1sh