javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled
semgrep
Author
1,327
Download Count*
License
$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.
Run Locally
Run in CI
Defintion
rules:
- id: detect-angular-sce-disabled
message: $sceProvider is set to false. Disabling Strict Contextual escaping
(SCE) in an AngularJS application could provide additional attack surface
for XSS vulnerabilities.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
references:
- https://docs.angularjs.org/api/ng/service/$sce
- https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
category: security
technology:
- angular
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: ERROR
pattern: |
$sceProvider.enabled(false);
Examples
detect-angular-sce-disabled.js
var app = angular.module('MyApp', []).config(function ($sceProvider) {
// ruleid: detect-angular-sce-disabled
$sceProvider.enabled(false);
});
app.controller('myCtrl', function($scope) {
$scope.userInput = 'foo';
$scope.sayHello = function() {
$scope.html = "Hello <b>" + $scope.userInput + "</b>!"
};
});
var app = angular.module('MyApp2', []).config(function ($sceProvider) {
$sceProvider.enabled(true);
});
Short Link: https://sg.run/N4DG