| Details | |
|---|---|
| Alert ID | 210009-5 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 79 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK |
Summary
postMessage-controlled expression value reaches AngularJS $parse.
Generated by OWASP PTK IAST Module
Solution
• Do not evaluate user-controlled AngularJS expressions. • Do not render untrusted input inside AngularJS interpolation or ng-* expression attributes. • Do not pass cookie, storage, message, URL or form values to $parse/$compile/$interpolate without strict allow-listing. • Migrate away from unsupported AngularJS versions.Other Info
References
- https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox
- https://cwe.mitre.org/data/definitions/79.html