Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
25 Dec 2017
17 Oct 2017
How to fix?
AngularJS.Core to version 1.6.7 or higher.
AngularJS.Core is a AngularJS.* package for other Angular modules within .NET.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
Browsers mutate attributes values such as
innerHTML in various vendor specific ways.
Here is an example of what could happen:
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.