angular is an HTML enhanced for web apps.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via ideographic space chararcters in URIs.
Browsers mutate attributes values such as
innerHTML in various vendor specific ways.
Here is an example of what could happen:
// Code goes here
var h1 = document.querySelector('h1');
var innerHTML = h1.innerHTML;
h1.innerHTML = innerHTML;
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like \< > \" \' are not escaped properly.
There are a few types of XSS:
- Persistent XSS is an attack in which the malicious code persists into the web app’s database.
- Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
You can read more about
Cross-site Scripting (XSS) on our blog.
angular to version 1.6.7 or higher.