Cross-site Scripting (XSS) Affecting angular package, versions <1.5.0-rc.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:angular:20151205
- published23 Jan 2017
- disclosed4 Dec 2015
- creditPete Bacon Darwin
Introduced: 4 Dec 2015
CVE NOT AVAILABLE CWE-79 (opens in a new tab)How to fix?
Upgrade angular to version 1.5.0-rc.0 or higher.
Overview
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS)
via the SVG <use> element.
The <use> element can reference external SVG's (same origin) and can include xlink:href javascript urls or foreign object that can execute XSS. The change disallows <use> elements in sanitized SVG markup.
An example of a malicious SVG document would be:
SVG to sanitize:
<svg><use xlink:href="test.svg#xss" /></svg>
External SVG file (test.svg):
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg" width="100"
height="100"
id="xss">
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(1)">
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
</a>
</svg>
Here the SVG to sanitize loads in the test.svg file via the <use> element. The sanitizer is not able to parse this file, which contains malicious executable mark-up.
This can only be taken advantage of if the external file is available via the
same origin restrictions in place.