| Details | |
|---|---|
| Alert ID | 220004-2 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 79 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-79 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK |
Summary
Finds AngularJS code patterns where untrusted data is compiled or parsed as AngularJS expressions/templates, including $parse, $interpolate, $compile, interpolation delimiters and ng-* expression attributes.
Generated by OWASP PTK SAST Module
Solution
Avoid passing user-controlled strings to AngularJS expression or template compilation APIs. Do not server-render user input inside {{...}}, [[...]], ng-* expression attributes, or $parse/$compile/$interpolate inputs. Use text-only rendering, strict allow-lists for expression names, and migrate from legacy AngularJS.Other Info
References
- https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox
- https://cwe.mitre.org/data/definitions/79.html