Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using $sce.trustAsResourceUrl with user input in AngularJS can allow attackers to inject malicious URLs if the input is not properly sanitized. This exposes the application to security risks by trusting potentially unsafe content.
Impact#
If exploited, an attacker could execute malicious scripts or load harmful resources in the user’s browser, leading to cross-site scripting (XSS) attacks. This can result in data theft, session hijacking, or compromise of user accounts and trust in the application.