Listen to this Post
The vulnerability resides in the `domino` library, a server-side DOM implementation used by `@angular/platform-server` for Angular Server-Side Rendering (SSR). When Angular renders a template that binds user-controlled data inside a `
</code>), the SSR process relies on `domino` to emulate the browser DOM. Under normal browser behavior, `<noscript>` is a raw-text element that should not parse nested HTML tags. However, during SSR, `domino` is initialized with scripting enabled, causing it to treat `<noscript>` as a container that still expects proper escaping of its closing tag. In the vulnerable versions, <code>domino</code>'s HTML serializer incorrectly omitted `<noscript>` from the list of raw-text elements that require closing-tag escaping. Consequently, if an attacker injects the string `</noscript><script>alert(1)</script>` into a bound value inside <code><noscript></code>, the serializer directly writes the unescaped `</noscript>` into the output HTML. The serialized output becomes <code><noscript>... </noscript><script>alert(1)</script></noscript></code>. When a browser parses this, the first `</noscript>` closes the original `<noscript>` block early, and the subsequent `<script>` block is executed as live HTML. Because the page origin remains unchanged, this is a same-origin XSS attack. The vulnerability affects any Angular SSR application that renders user-supplied strings inside a `<noscript>` element without prior sanitization. It enables session hijacking, credential theft, or arbitrary actions on behalf of the victim. Patched versions of Angular (22.0.0-rc.2, 21.2.16, 20.3.24, 19.2.25) update `domino` to a fixed release (≥2.1.4) where `</noscript>` is properly escaped as <code></noscript></code>. Workarounds include avoiding user data inside `<noscript>` or stripping `</noscript>` tags from inputs.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Angular SSR
Version: <19.2.25,<20.3.24,<21.2.16
Vulnerability: XSS via noscript
Severity: Medium (6.1)
date: 2023-08-10
<h2 style="color: blue;">Prediction: Fixed 2024-03-20</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check Angular version
ng version | grep Angular
Detect vulnerable domino version
npm list domino
Test payload in SSR template
echo "<noscript>{{ userInput }}</noscript>" > test.component.html
Simulate malicious input
curl -X POST https://target.com/ssr -d "userInput=</noscript><script>alert(1)</script>"
Exploit:
<!-- Attacker-controlled input bound inside <noscript> -->
<noscript>{{ user.profile }}</noscript>
<!-- user.profile = "</noscript><script>fetch('/cookie')</script>" -->
<!-- Rendered output causes script execution -->
Protection:
- Update to Angular >=19.2.25, >=20.3.24, >=21.2.16, or 22.0.0-rc.2
- Sanitize user input: escape `` as `</noscript>`
- Avoid ` - Use Angular's built-in DomSanitizer with bypass disabled
Impact:
- Same-origin XSS leads to session hijacking
- Credential theft (cookies, tokens)
- Unauthorized actions (CSRF-like)
- Page defacement and phishing
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
projects@undercode.co.uk
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
