Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using $sce.trustAsUrl with data from user input can allow attackers to inject malicious URLs into your application. If this input is not properly sanitized, it can lead to security risks such as cross-site scripting (XSS).
Impact#
If exploited, an attacker could inject harmful URLs or scripts, potentially leading to theft of user data, session hijacking, or redirection to malicious websites. This compromises user trust and can expose sensitive information or damage your application’s reputation.