Steps to Reproduce
This vulnerability can convert safe <option> tags that are surrounded by various other tags (particularly the <select> tag) into unsafe ones, thereby opening the possibility of a Cross-Site Scripting (XSS) attack. The vulnerability is present in versions of the library prior to 1.8.0, specifically in the jqLite library.
Addressing the Issue
Customers using versions of AngularJS earlier than 1.8.0 should upgrade immediately.
This fix contains a backward compatibility-breaking change so a new method that restores the old behavior can be found with UNSAFE_restoreLegacyJqLiteXHTMLReplacement. If you choose to use this backwards-compatible method as a temporary measure, plan to replace it as soon as possible.
Learning and Prevention
Although there are many ways in which an XSS attack can occur that are within the developer’s control, in this case, the problem was in the method that was used to help sanitize the code. The original code used in the library was able to take already-sanitized code and turn it into unsanitized code. Sanitized, in this case, means that the code had already been “escaped.” Escaping is the process of converting risky characters such as < to safer versions (< in the case). Since it’s not possible to know the order in which various sanitization functions are executed, this improper transformation could have occurred last—thereby rendering the code insecure.
Conclusion
The fix described in this vulnerability is present in 1.8.0 and is also immediately available to HeroDevs AngularJS Never-Ending Support clients who are still on Angular 1.5. If you would like support to avoid potentially costly attacks , contact HeroDevs [TODO: insert link] today.
If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.
Resources
NIST 2020-7676 entry