angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
Browsers mutate attributes values such as
innerHTML in various vendor specific ways.
Here is an example of what could happen:
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.
angular to version 1.6.7 or higher.
- Snyk ID
- 17 Oct, 2017
- 25 Dec, 2017