XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to
JQLite methods like
new JQLite and
JQLite (DOM manipulation library that's part of AngularJS) manipulates input HTML before inserting it to the DOM in
One of the modifications performed expands an XHTML self-closing tag.
jqLiteBuildFragment is called (e.g. via
This is similar to a bug in jQuery
htmlPrefilter function that was fixed in 3.5.0.
const inertPayload = `<div><style><style/><img src=x onerror="alert(1337)"/>`
Note that the style element is not closed and
<img would be a text node inside the style if inserted into the DOM as-is.
As such, some HTML sanitizers would leave the
<img as is without processing it and stripping the
This will alert, as
<style/> will be replaced with
<style></style> before adding it to the DOM, closing the style element early and reactivating
The issue is patched in
JQLite bundled with angular 1.8.0. AngularJS users using JQuery should upgrade JQuery to 3.5.0, as a similar vulnerability affects jQuery <3.5.0.
Changing sanitizer configuration not to allow certain tag grouping (e.g.
<option><style></option>) or inline style elements may stop certain exploitation vectors, but it's uncertain if all possible exploitation vectors would be covered. Upgrade of AngularJS to 1.8.0 is recommended.