SYM_JSTS_0173 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using $sce.trustAs or $sce.trustAsHtml in Angular with user-provided data can allow malicious content to be marked as safe, potentially leading to cross-site scripting (XSS) attacks. This happens if input is not properly sanitized before being trusted.
Impact
If exploited, attackers could inject and execute malicious scripts in users’ browsers, leading to data theft, account compromise, or unauthorized actions on behalf of users. This undermines user trust and can expose sensitive information or functionality to attackers.