Description

Detects potential Cross-Site Scripting (XSS) vulnerabilities in Angular applications where untrusted input is directly assigned to innerHTML properties. This is dangerous because innerHTML assignments with dynamic content can execute arbitrary JavaScript code if the input contains malicious scripts.

Detection Strategy

• Identifies instances where innerHTML property is used in Angular TypeScript/JavaScript code

• Analyzes data flow to check if the innerHTML value comes from untrusted sources (like user input, HTTP responses, or URL parameters)

• Reports a vulnerability when innerHTML is assigned content from untrusted sources without proper sanitization

Vulnerable code example

import { Component, ElementRef, ViewChild } from "@angular/core";
import { ActivatedRoute } from "@angular/router";

@Component({
  selector: "app-root",
  template: `<div #content></div>`
})
export class VulnerableComponent {...

✅ Secure code example

import { Component, ElementRef, ViewChild, SecurityContext } from "@angular/core";
import { ActivatedRoute } from "@angular/router";
import { DomSanitizer } from "@angular/platform-browser";

@Component({
  selector: "app-root",
  template: `<div [innerText]="sanitizedContent"></div>` // Use innerText instead of innerHTML
})...