Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Assigning user input directly to the $translateProvider.translations method in AngularJS can allow untrusted data to be injected into translation strings. This opens the door for malicious code to be rendered in the application’s UI.
Impact#
If exploited, an attacker could execute arbitrary JavaScript in users’ browsers (Cross-Site Scripting), potentially stealing user data, hijacking sessions, or defacing the application. This compromises both user security and the application’s trustworthiness.