Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
25 Dec 2017
17 Oct 2017
Introduced: 17 Oct 2017CWE-79 Open this link in a new tab
How to fix?
angular to version 1.6.7 or higher.
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
Browsers mutate attributes values such as
innerHTML in various vendor specific ways.
Here is an example of what could happen:
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.