-
Notifications
You must be signed in to change notification settings - Fork 27.6k
DOM-based cross-site scripting (DOM_XSS) issue found in angular.js in Coverity scan #17045
Comments
This is not the correct repository for AngularJS issues. Transferring... |
Would it be possible for you to provide a test case where AngularJS was vulnerable and send it to security@angularjs.org? See https://docs.angularjs.org/guide/security for more information about reporting security issues. |
Sure. Will do it. Thanks. |
Hi FYI - I sent a mail to security@angularjs.org with use case details. Thanks. |
This report appears incorrect to me. While window.location.href is a source of untrusted data, this data is not ever evaluated by Angular in any way. So the way we interact with that API does not pose聽a problem and it's safe to ignore the warning. We see quite a few scanning tools identify false positives in angular.js and this seems to be just another one. |
Thanks for the valuable comment. It will certainly help me to proceed. |
馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃
Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.
馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃馃洃
Hi Team - Request to provide solution to avoid below issue in Coverity scan.
Issue Details are as follows,
The property window.location.href is a source of untrusted data.
DOM-based cross-site scripting (DOM_XSS)2. sink: Calling urlResolve. This call uses window.location.href for sensitive computation. [show details]
The untrusted data reaches a sink that can either lead to HTML injection, JavaScript code execution, or the manipulation of a URL starting with the "javascript:" or "data:" schemes. Any of these can lead to a DOM XSS vulnerability.
var originUrl = urlResolve(window.location.href);
The text was updated successfully, but these errors were encountered: