SYM_JSTS_0166 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using $sce.trustAsHtml in Angular with user-supplied input can allow attackers to inject malicious HTML or JavaScript code. This makes your application vulnerable to cross-site scripting (XSS) attacks.
Impact
If exploited, an attacker could run arbitrary scripts in the user's browser, potentially stealing sensitive information, hijacking user sessions, or defacing your site. This puts both user data and application integrity at risk.