Skip to main content
The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within $SINK. It is recommended to contextually output encode user-input, before inserting into $SINK. If the HTML needs to be preserved it is recommended to sanitize the input using sce.getTrustedHTMLorsce.getTrustedHTML or sanitize.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within $SINK. It is recommended to contextually output encode user-input, before inserting into $SINK. If the HTML needs to be preserved it is recommended to sanitize the input using sce.getTrustedHTMLorsce.getTrustedHTML or sanitize.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $translateProvider.translations method can be dangerous if user input is provided to this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Use of $window.location.href can lead to open-redirect if user input is used for redirection.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
The use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
I