Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using $sce.trustAsHtml in Angular with user-supplied input can allow attackers to inject malicious HTML or JavaScript code. This makes your application vulnerable to cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could run arbitrary scripts in the user’s browser, potentially stealing sensitive information, hijacking user sessions, or defacing your site. This puts both user data and application integrity at risk.