javascript.angular.security.detect-angular-trust-as-html-method.detect-angular-trust-as-html-method

profile photo of returntocorpreturntocorp
Author
1,327
Download Count*

The use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.

Run Locally

Run in CI

Defintion

rules:
  - id: detect-angular-trust-as-html-method
    message: The use of $sce.trustAsHtml can be dangerous if unsanitized user input
      flows through this API.
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      references:
        - https://docs.angularjs.org/api/ng/service/$sce#trustAsHtml
        - https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf
      category: security
      technology:
        - angular
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern: |
              $SOURCE = $scope.$INPUT;
              $sce.trustAsHtml($SOURCE);
          - pattern: |
              $sce.trustAsHtml($scope.$INPUT);
      - pattern-inside: |
          app.controller(..., function($scope,$sce){
          ...
          });

Examples

detect-angular-trust-as-html-method.js

var app = angular.module('MyApp', []);
app.controller('myCtrl', function($scope, $sce) {

$scope.userInput = 'foo';
    $scope.sayHello = function() {
     // ruleid:detect-angular-trust-as-html-method
     $scope.trustedurl = $sce.trustAsHtml($scope.html);
     // ruleid:detect-angular-trust-as-html-method
     input = $scope.html
     $scope.trustedurl = $sce.trustAsHtml(input);


     //Data is not coming from user input
     $scope.trustedurl = $sce.trustAsJs('stringLiteral');
   };

});