Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to unsanitized URIs in
< can be coded as
> can be coded as
> in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses
> as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.
Types of attacks
There are a few methods by which XSS can be manipulated:
The following environments are susceptible to an XSS attack:
- Web servers
- Application servers
- Web application environments
How to prevent
This section describes the top best practices designed to specifically protect your code:
- Convert special characters such as
>and spaces to their respective HTML or URL encoded equivalents.
- Give users the option to disable client-side scripts.
- Redirect invalid requests.
angular to version 1.3.0-rc.4 or higher.
- Laurent Trillaud
- Snyk ID
- 07 Sep, 2014
- 23 Jan, 2017