Cross-site Scripting (XSS)
Affecting org.webjars.bower:angular artifact, versions (,1.6.7)
org.webjars.bower:angular is a bower WebJar for angular.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
Browsers mutate attributes values such as
innerHTML in various vendor specific ways.
Here is an example of what could happen:
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.
org.webjars.bower:angular to version 1.6.7 or higher.
- Snyk ID
- 17 Oct, 2017
- 25 Dec, 2017