| Snyk

angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could easily lead to XSS. By requiring that a single expression be used for *[src/ng-src] such as iframe[src], object[src], etc. (but not img[src/ng-src] since that value is sanitized), it is ensured that the value that's used is assigned or constructed by some JS code somewhere that is more testable or make it obvious that you bound the value to some user controlled value. This helps reduce the load when auditing for XSS issues.

To migrate your code, follow the example below:

Before:

JS:
scope.baseUrl = 'page';
scope.a = 1;
scope.b = 2;

HTML:
<!-- Are a and b properly escaped here? Is baseUrl
 controlled by user? -->
<iframe src="{{baseUrl}}?a={{a}&b={{b}}">

After:

JS:
var baseUrl = "page";
scope.getIframeSrc = function() {
  // There are obviously better ways to do this.  The
  // key point is that one will think about this and do
  // it the right way.
  var qs = ["a", "b"].map(function(value, name) {
  return encodeURIComponent(name) + "=" +
 encodeURIComponent(value);
}).join("&");
  // baseUrl isn't on scope so it isn't bound to a user
  // controlled value.
  return baseUrl + "?" + qs;
}

HTML: <iframe src="{{getIframeSrc()}}">Before:

##Details

Cross-site Scripting (XSS) Affecting angular package, versions >=1.0.0 <1.2.0

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 21 Jun 2013

How to fix?

Overview

References

CVSS Scores

Snyk