Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using Angular’s bypassSecurityTrust methods (like bypassSecurityTrustHtml or bypassSecurityTrustUrl) on data from users can allow untrusted input to be treated as safe, bypassing Angular’s built-in protections. This creates a risk of injecting malicious content directly into your app.
Impact#
If exploited, attackers could run malicious JavaScript in your users’ browsers (XSS), steal sensitive user data, hijack sessions, or deface your site. This compromises user trust, exposes confidential information, and can lead to broader security breaches within your application or organization.