So the other day at work I noticed this code in one of our web apps:
this.activatedRoute.params.subscribe(params => {
this.a = params['b'];
});
and then in the HTML:
{{a}}
So basically if I navigate to http://example.com/lol the string "lol" will be inserted in the page. My intuition tells me that this is not quite right since you can potentially inject malicious code into the url, but so far I've had no luck doing it because either the url doesn't get matched properly or angular just inserts the parameter as plain string in the page so that it's not interpreted by the browser.
Is there absolutely no way for an attacker to exploit this?