All versions in angular-ui-notification are vulnerable to XSS due to the library not sanitizing the input provided by the user.
In order to safely use this library, sanitizing / encoding the parameters passed to this library is highly recommended, such as the following:
private sanitizeHTML(str: string) {
return str.replace(/[^\w. ]/gi, (c) => `&#${c.charCodeAt(0)};`);
}Say the library has already been imported and is currently being used by a project. The usage of this library could look like the following:
private showNotification(message: string, delay: number, type: NotificationType) {
this.Notification.clearAll();
this.Notification[type]({
message,
delay,
replaceMessage: true
});
}If frontend was to pass any user input directly to the message parameter, any <script> tag would be enough to perform an XSS attack.
A simple <script>alert(1)</script> would be enough.
- https://github.com/alexcrack/angular-ui-notification - 0.1.0
- https://github.com/alexcrack/angular-ui-notification - 0.2.0
- https://github.com/alexcrack/angular-ui-notification - 0.3.6
Xh4H
The project does not seem to be maintained anymore, so I highly suggest using maintanted alternatives.