Cross-site Scripting (XSS) Affecting angular package, versions <1.6.7
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:angular:20171018
- published25 Dec 2017
- disclosed17 Oct 2017
- creditUnknown
Introduced: 17 Oct 2017
CVE NOT AVAILABLE CWE-79 (opens in a new tab)How to fix?
Upgrade angular to version 1.6.7 or higher.
Overview
angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
Browsers mutate attributes values such as  javascript:alert(1) when they are written to the DOM via innerHTML in various vendor specific ways.
In Chrome (<62), this mutation removed the preceding "whitespace" resulting in a value that could end up being executed as JavaScript.
Here is an example of what could happen:
// Code goes here
var h1 = document.querySelector('h1');
h1.innerHTML = '<a href=" javascript:alert(1)">CLICKME</a>';
var innerHTML = h1.innerHTML;
console.log(innerHTML);
h1.innerHTML = innerHTML;
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Note: Chrome 62 does not appear to mutate this particular string any more, instead it just leaves the "whitespace" in place. This probably means that Chrome 62 is no longer vulnerable to this specific attack vector.