nadouani
commented
7 years ago This one is in fact an issue since the documentation doesn't indicate that the service trust the message as HTML by default. We needed to take a look to the source code to discover it when we encountered an XSS issue.
IMHO this library shouldn't trust the message as HTML by default, but should provide an option to disable sanitization.
I can provide a PR if you want.
Thanks
In my app the following code opens a dialog box with "hi" :
Notification.success("Some message <script>alert('hi')</script>")It shows that my app was vulnerable to XSS because Notification was used in that sort of way :
Notification.error("got an error : "+myError);And myError is a string that can come from anywhere, and is unsecure.
My fix was to decore Notification service and apply $sanitize on strings.