Angular Template Compiler Cross-Site Scripting Vulnerability in SVG Script Attributes

A cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler, affecting versions prior to 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. The issue arises because Angular's internal sanitization schema does not recognize the 'href' and 'xlink:href' attributes of SVG '<script>' elements as a Resource URL context. This oversight can lead to XSS if user-controlled values are interpolated into these attributes, allowing for the execution of arbitrary JavaScript in the context of the victim's browser session.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the user's browser session, potentially leading to session hijacking, data exfiltration, or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, create an Angular application that uses SVG '<script>' elements. Bind the 'href' or 'xlink:href' attributes of these script elements to user-controlled data, such as input from URL parameters or unsanitized API responses. When the application is run, the Angular Template Compiler will not properly sanitize the bound values, allowing for the injection of malicious scripts.

Remediation

Users can upgrade to Angular versions 19.2.18, 20.3.16, 21.0.7, or 21.1.0-rc.0 to address this vulnerability. For applications that cannot be immediately upgraded, it is recommended to avoid dynamic bindings for SVG '<script>' elements and to validate any input that must be used in such bindings.