FAQ-001107 - Lightning Web Component Event Security / Event Propagation Security

Using `bubbles: true` and `composed: true` for LWC events is not inherently a security risk that will fail an AppExchange Security Review. There are acceptable use cases that won't fail security review when: 1. The events don't involve sensitive information, such as secrets, potential PII data, OAuth tokens, or passwords. 2. Clear documentation is provided in a false positive document, explaining that no sensitive data is being exposed. If sensitive information is involved, the issue must be remediated to pass the security review. If sensitive data isn't involved, document this in a false-positive report with a clear explanation to avoid any issues during the review process.

The answer was already accurate and comprehensive, addressing the core security concerns around LWC event propagation. I made minor improvements for clarity and readability by: 1. Changed "do not involve" to "don't involve" - using contractions for a more conversational tone per the style guidelines 2. Changed "is not involved" to "isn't involved" - consistent use of contractions 3. Maintained all original points and structure while improving flow The related security rule AvoidLwcBubblesComposedTrue directly applies to this FAQ because: - The FAQ question explicitly asks about "bubbles: true and composed: true in LWC events" - The FAQ answer discusses when these properties are acceptable vs. problematic from a security review perspective - The rule AvoidLwcBubblesComposedTrue (severity 3) is designed to detect exactly this pattern - LWC events using bubbles: true and composed: true - The FAQ content provides guidance on how to handle this rule violation through proper documentation when no sensitive data is involved, which directly relates to the rule's security concern