Listen to this Post
The vulnerability arises from a UTF-16 index alignment bug in the `domino` library, which Angular uses for server-side DOM emulation during SSR. When serializing raw-text elements like <script>, <style>, or <iframe>, `domino` attempts to escape any closing tags (e.g., </script>) found inside the element’s content. However, JavaScript measures string indices in UTF-16 code units – astral characters (e.g., emojis, 😀) occupy two code units instead of one. If an attacker injects dynamic text that includes an astral character immediately before a raw closing tag, domino’s index offset calculation misaligns. The escaping logic then fails to recognize or replace the closing tag, leaving it unescaped in the final HTML output. When the browser parses this SSR-generated page, the unescaped closing tag prematurely closes the raw-text context, allowing the attacker’s subsequent `` inside an `