@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
A Cross-Site Scripting (XSS) vulnerability exists in `@angular/platform-server`'s DOM emulation dependency (`domino`) when serializing the content of raw-text elements (such as `<script>`, `<style>`, and `<iframe>`). `domino` supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a **Unicode index alignment bug** existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters—such as emojis—occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters _before_ the closing tag (e.g. `</script>`, `</style>`, or `</iframe>`), the index offset calculation in `domino`'s replacement logic shifted. This misalignment caused `domino` to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., `😀</iframe><script>alert(1)</script>`). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent `<script>` block, leading to same-origin Cross-Site Scripting (XSS). ### Impact This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside raw-text elements. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement. ### Patched Versions - 22.0.0-rc.2 - 21.2.16 - 20.3.24 - 19.2.25 ### Workarounds If you cannot immediately update your dependencies, you can: - Avoid binding user-controlled values inside `<iframe>` or other raw-text elements. - Sanitize any user input placed inside raw-text elements to explicitly strip closing tags before passing it to the template.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-15 17:20 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.