Summary

The notification component template contains an XSS vulnerability due to unsafe HTML rendering using [innerHTML]. The title and message fields accept HTML content without explicit documentation, which can lead to unintended HTML injection when developers assume these fields are plain text.

Problem

• The template uses [innerHTML] for both notificationObj.title and notificationObj.message
• No clear indication in the API that these fields accept HTML
• Developers may unknowingly pass user-controlled content, creating XSS attack vectors
• This has already occurred in production environments

Proposed Solution

Add explicit HTML fields to the NotificationContent interface:

• Keep existing title and message fields for plain text (escape HTML)
• Add new titleHtml and messageHtml fields for intentional HTML content
• Update template to use appropriate rendering based on field type

Benefits

• Clear API contract - developers know when HTML is expected
• Backward compatibility maintained
• Prevents accidental XSS vulnerabilities
• Follows security best practices of explicit opt-in for HTML content

Security Impact

High - Current implementation allows arbitrary HTML injection through notification content.