Use of SCE bypass

What does this mean ?

The Angular SCE service may be turned off globally using the $sceProvider.enabled() method in the controller's config block, or per instance using the $sce.trustAs methods. However, when untrusted data is bound as HTML, the application becomes vulnerable to cross-site scripting (XSS) attacks.

What can happen ?

Specific input avoids pattern matching and results in a legitimate JavaScript statement, resulting in an XSS.

Recommendation

• Avoid using the ng-bind-html-unsafe directive
• Avoid naively trusting user input by using the Strict Contextual Escaping suite of methods such as $sce.trustAsHtml (value)

Sample Code

AngularJS

Vulnerable :

myApp.filter('stripDangerousHTML', function($sce) {
    return function(value) {
        let input = value
        input = input
        .replace(/javascript/g, '')
        .replace(/alert/g, '');
        return $sce.trustAsHtml(input);
    }
})

References

• https://docs.angularjs.org/api/ng/service/$sce#strict-contextual-escaping