SYM_JSTS_0174 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Disabling AngularJS's Strict Contextual Escaping (SCE) with $sceProvider.enabled(false) removes built-in protections against injecting unsafe content into your app. This increases the risk of cross-site scripting (XSS) attacks, as user input is no longer automatically sanitized.
Impact
If exploited, attackers can inject malicious scripts into your application's web pages, potentially stealing user data, hijacking sessions, or defacing the site. This can lead to data breaches, loss of user trust, and regulatory consequences for your organization.