AngularJS XSS 中<input>场地

Question

I have an AngularJS app (Angular version 1.6.4) that uses an input field to bind an URL (that can be changed by the user) to a model. Here is how it looks like:

<input ng-model="connectorService.url">

This URL is then saved to a backend and re-loaded from there as soon as the page is refreshed. I have tried to do some XSS by manipulating the POST requests that set the URL in the backend.

I entered <script>alert("XSS");</script> into the input and it is set correctly (verified by manually requesting it from the backend). When I reload the page, the input field contains the XSS but it is not executed. What am I doing wrong? Is there still a sandbox in AngularJS 1.6.4?

Answer 1

Is there still a sandbox in AngularJS 1.6.4?

No, the expression sandbox was removed with AngularJS 1.6

From the Docs:

Another major change [with V1.6] is the removal of the Expression Sandbox . This should not require changes to your application (and may give it a small performance boost), but we strongly recommend reading the Sandbox Removal Blog Post to understand the implications behind the removal and whether any action is required on your part.

— AngularJS Developer Guide - Migrating to V1.6

For additional information, see

• AngularJS Developer Guide - Sandbox Removal