0

This is regarding injecting the script tag (given below) in one of the input and it's description field. Values are saving fine and showing in the grid.

Go to this <script>window.alert('abc')</script> and fill out the FAFSA.

Form fields:-

enter image description here

You can see in the below screenshot that the alert script is running from the description field.

Modal implementation (execute on click of the document type link in the listing):-

  $rootScope.showNormalModal = function (message) {
        var modalHtml = "<div class='modal-header'><button type='button' ng-click='cancel()' class='close' data-dismiss='modal' aria-label='Close'>" +
            "<span aria-hidden='true'>×</span></button> " +
            "<h4 class='modal-title' id='myModalLabel'><div>" +
            "</div>" + message + "</h4></div>";

        var modalInstance = $modal.open({
            template: modalHtml,
            controller: function ($scope, $modalInstance) {
                $scope.cancel = function () {
                    $modalInstance.dismiss('cancel');
                };
            }
        });
    }
});

If the input parameter has script tag with some operation, it is not showing in the UI as it is, instead the script is running before the modal.

Expected behavior here is when I clicked on the anchor in the listing, it should show its description in the popup. what is happening here is, before showing the description, I am getting a alert window because of the script tag injection.

How will I avoid the alert script getting executed before the popup.

Attached all the screenshots below.

Listing Page :-

Listing Page

Alert Window :-

Alert Window

Description Popup :-

Description

Thanks in advance.

Improve this question
5
  • Do you use some standard/public component? (please names, links)? Otherwise the answer will be as broad as your question: "Do sanitize" Commented Dec 20, 2017 at 7:12
  • Sanitize html content. docs.angularjs.org/api/ngSanitize/service/$sanitize Commented Dec 20, 2017 at 7:24
  • 4
    Building HTML via string concatenation with user provided content should always set off big flashing XSS VULNERABILITY warning lights in your brain - if you can refactor your code to not do that, I'd highly recommend it. Otherwise, $sanitize it. Commented Dec 20, 2017 at 11:21
  • 1
    added more details. @Ashish - can you explain how will implement sanitize in the above example Commented Dec 20, 2017 at 11:22
  • @SarunUK I have added answer. Hope that will work. Commented Dec 20, 2017 at 16:22

1 Answer 1

Reset to default
1

Can you please try below code

$rootScope.showNormalModal = function (message) {
  var modalHtml = "<div class='modal-header'><button type='button' ng-click='cancel()' class='close' data-dismiss='modal' aria-label='Close'>" +
    "<span aria-hidden='true'>×</span></button> " +
    "<h4 class='modal-title' id='myModalLabel'><div>" +
    "</div><div ng-bind=\"message\"></div></h4></div>";

  var modalInstance = $modal.open({
    template: modalHtml,
    controller: function ($scope, $modalInstance, message) {
      $scope.cancel = function () {
        $modalInstance.dismiss('cancel');
      };
      $scope.message = message;
    },
    resolve: {
      message: function () {
        return message;
      }
    }
  });
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

it would be very helpful to add a little description for future readers.
The trick on the code is the use of the ng-bind, that will help doing some basic content sanitation. also you can use docs.angularjs.org/api/ngSanitize/service/$sanitize

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.