Seems like growl HTML based messages are vulnerable for XSS attacks
Opened this issue · 0 comments
benbracha commented
Some of our growl messages are created using a compiled HTML with user's input.
For example:
var html =
'<span>' +
Some ' + entityName + 's' + ' could not be ' + actionName + '. </br>' +
'</span>';
var messageElement = angular.element(html);
var scope = $rootScope.$new();
var linkedElement = $compile(messageElement)(scope);
growl.error(linkedElement.html());
In case we don't sanitize user's input ourselves, we may be exposed to XSS attacks (try to put use <script>alert('hello')</script> in the entityName, for example).
I wonder if this can be done internally by growl, as usually angularJS developers rely on angularJS "automatic" sanitization and don't pay attention to such issues.