<h3 _ngcontent-c4="" class="project-name">"Sometest"</h3><script>alert('xss');</script><h3>test</h3>
I tried to use an XSS vulnerability in my own project. But it somehow does not get triggered.
Any ideas?
Asked
Active
Viewed 246 times
-4
Dominic Järmann
- 65
- 8
-
Not sure if this is a problem. You are not closing the `script` tag properly. – Amit Chigadani Feb 25 '19 at 12:36
-
1Typo: You forgot the `/` from the script end tag. (Voting to close because the problem is caused by a typo) – Quentin Feb 25 '19 at 12:36
-
Angular probably protects you by default of this kind of injection. – Magnesium Feb 25 '19 at 12:36
1 Answers
0
script tags are stripped of from component markup. Its done by HTMLSanitizer. This is done as XSS prevention feature.
Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.
It is possible but discouraged to inject untrusted content
https://stackoverflow.com/a/44904601/1527544
https://netbasal.com/angular-2-security-the-domsanitizer-service-2202c83bd90
Antoniossss
- 31,590
- 6
- 57
- 99