0

So the other day at work I noticed this code in one of our web apps:

this.activatedRoute.params.subscribe(params => {
    this.a = params['b'];
});

and then in the HTML:

{{a}}

So basically if I navigate to http://example.com/lol the string "lol" will be inserted in the page. My intuition tells me that this is not quite right since you can potentially inject malicious code into the url, but so far I've had no luck doing it because either the url doesn't get matched properly or angular just inserts the parameter as plain string in the page so that it's not interpreted by the browser.

Is there absolutely no way for an attacker to exploit this?

Tudor
  • 309
  • 2
  • 8

2 Answers2

3

As stated on angular's security page, interpolated content is always escaped. Unless the application explicitly marks the content as trusted using the DomSanitizer or there is a vulnerability in angular, there is no way for an attacker to exploit this.

user2313067
  • 916
  • 1
  • 6
  • 9
0

If the user that enters the url is the one who will see it again, there is no problem.
Attackers don't want to attack themselves.

user155462
  • 421
  • 2
  • 3
  • 2
    But what if the user is tricked into clicking a link like: `www.example.com/` ? This could allow execution of arbitrary js if the browser interprets the tags as html. – Tudor Aug 03 '17 at 12:43
  • 1
    @user155462: would you be a dear and provide me a link to some live sites you've developed? I have a few bug bounties I'd like to collect before Christmas hits. – Tango Bravo Nov 21 '18 at 17:25