XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.
JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment.
One of the modifications performed expands an XHTML self-closing tag.
If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.
This will alert, as <script/> will be replaced with <script></script> before adding it to the DOM, closing the style element early and reactivating img.
Note that this vanilla JS node insertion does not activate img:
Update:
Not sure if HTML tags inside
<script>
should be treated as DOM elements.I'm submitting a ...
Current behavior:
This is similar to https://snyk.io/vuln/SNYK-JS-ANGULAR-572020
XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element.
JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in jqLiteBuildFragment.
One of the modifications performed expands an XHTML self-closing tag.
If jqLiteBuildFragment is called (e.g. via new JQLite(aString)) with user-controlled HTML string that was sanitized (e.g. with DOMPurify), the transformation done by JQLite may modify some forms of an inert, sanitized payload into a payload containing JavaScript - and trigger an XSS when the payload is inserted into DOM.
For example:
angular.element('body').append('<script><script/><img/src/onerror=alert(document.domain)>')
This will alert, as
<script/>
will be replaced with<script></script>
before adding it to the DOM, closing the style element early and reactivating img.Note that this vanilla JS node insertion does not activate img:
document.querySelector('body').append('<script><script/><img/src/onerror=alert(document.domain)>')
Expected / new behavior:
<script/>
tags should not be expanded and auto-wrapped.Minimal reproduction of the problem with instructions:
Tested at angularjs.com and roblox.com:
angular.element('body').append('<script><script/><img/src/onerror=alert(document.domain)>')
AngularJS version: 1.8.2
Browser: all
Remediation: The culprit here is jQuery. Update jQuery at angularjs.org.