Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using $sce.trustAsJs with unsanitized user input in AngularJS allows potentially unsafe code to be executed. This bypasses Angular’s default protections, making the application vulnerable to malicious JavaScript injection.
Impact#
If exploited, attackers could inject and execute arbitrary JavaScript in the user’s browser, leading to data theft, session hijacking, or complete compromise of user accounts. This can result in severe security breaches and loss of user trust.