Some of our growl messages are created using a compiled HTML with user's input.
For example:
var html =
'<span>' +
Some ' + entityName + 's' + ' could not be ' + actionName + '. </br>' +
'</span>';
var messageElement = angular.element(html);
var scope = $rootScope.$new();
var linkedElement = $compile(messageElement)(scope);
growl.error(linkedElement.html());
In case we don't sanitize user's input ourselves, we may be exposed to XSS attacks (try to put use in the entityName, for example).
I wonder if this can be done internally by growl, as usually angularJS developers rely on angularJS "automatic" sanitization and don't pay attention to such issues.
Some of our growl messages are created using a compiled HTML with user's input. For example:
In case we don't sanitize user's input ourselves, we may be exposed to XSS attacks (try to put use in the entityName, for example).
I wonder if this can be done internally by growl, as usually angularJS developers rely on angularJS "automatic" sanitization and don't pay attention to such issues.