Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Angular 跨站脚本漏洞

Angular是Angular开源的一个开发平台。用于使用 Typescript / JavaScript 和其他语言构建移动和桌面 Web 应用程序。 Angular 19.2.18之前版本、20.3.16之前版本、21.0.7之前版本和21.1.0-rc.0之前版本存在跨站脚本漏洞，该漏洞源于内部清理模式未能识别SVG script元素的href和xlink:href属性，可能导致跨站脚本攻击。

N/A

N/A