Skip to content

Security: Potential Cross-Site Scripting (XSS) via ng-bind-html with user-controlled data#11173

Open
tomaioo wants to merge 1 commit into
medic:masterfrom
tomaioo:fix/security/potential-cross-site-scripting-xss-via-n
Open

Security: Potential Cross-Site Scripting (XSS) via ng-bind-html with user-controlled data#11173
tomaioo wants to merge 1 commit into
medic:masterfrom
tomaioo:fix/security/potential-cross-site-scripting-xss-via-n

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 15, 2026

Copy link
Copy Markdown

Summary

Security: Potential Cross-Site Scripting (XSS) via ng-bind-html with user-controlled data

Problem

Severity: High | File: admin/src/templates/display_privacy_policies_preview.html:L1

The display_privacy_policies_preview.html template uses ng-bind-html to render content that comes from user-uploaded files ($scope.content). While the controller uses $sanitize, the getHtml function first decodes base64 content using atob() and decodeURIComponent() before sanitization. If the sanitization is bypassed or contains bugs, this could lead to XSS. Additionally, the resourceIcon filter uses $sce.trustAsHtml() which directly trusts HTML content without sanitization, potentially allowing malicious SVG or other HTML content.

Solution

Ensure all user-controlled content passed to ng-bind-html is properly sanitized. Consider using ng-bind instead where possible, or implement a stricter content security policy. For resourceIcon, validate and sanitize image content server-side before allowing it to be served.

Changes

  • admin/src/templates/display_privacy_policies_preview.html (modified)

The `display_privacy_policies_preview.html` template uses `ng-bind-html` to render content that comes from user-uploaded files (`$scope.content`). While the controller uses `$sanitize`, the `getHtml` function first decodes base64 content using `atob()` and `decodeURIComponent()` before sanitization. If the sanitization is bypassed or contains bugs, this could lead to XSS. Additionally, the `resourceIcon` filter uses `$sce.trustAsHtml()` which directly trusts HTML content without sanitization, potentially allowing malicious SVG or other HTML content.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@andrablaj

Copy link
Copy Markdown
Member

@sugat009 would you be available to review this PR? Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants