0

i have a node api(localhost:5000/ ) which returns html type response.

when i run localhost:5000/ in browser it execute the scripts from returned response from my api.below is my app.js file.

const http = require("http");
const server = http.createServer((req, res) => {
  const { headers, url, method } = req;
  res.setHeader("Access-Control-Allow-Origin", "*");
  res.setHeader("Content-Type", "text/html");
  res.end(`<script>alert('test');</script>`);
});
const PORT = 5000;
server.listen(PORT, () => console.log(`Server running on ${PORT}`));

enter image description here

The same thing i want to achieve via angular . i will call this api and i want the script from my response to get executed. how can i tell angular that my script is safe and can be trusted ? Have tried with innerhtml but doesnt work.

 <div class="adv" [innerHtml]="htmlToAdd"></div>
Jagadeesh
  • 1,967
  • 8
  • 24
  • 47

1 Answers1

2

angular implement good layer to act like antixss, for this reason, it didn't process the content retrieved from the backend which contains script because maybe this script contains malicious code and this is considered a big security risk since xss is considered OWASP top 10 for many years and if your application goes for penetration test will not pass at all because xss is high rated risk in OWASP.

but if you want to proceed you can like this

import { Component, Inject, OnInit, SecurityContext } from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { Observable } from 'rxjs';
import { DomSanitizer } from '@angular/platform-browser';
import { DOCUMENT } from '@angular/common';

@Component({
  selector: 'app-first',
  templateUrl: './first.component.html',
  styleUrls: ['./first.component.css']
})
export class FirstComponent implements OnInit {

  constructor(private http: HttpClient, private sanitizer: DomSanitizer, @Inject(DOCUMENT) private document: any) {
    this.getScriptFromBackend()
      .subscribe(data => {
        document.getElementById("myScriptLoader").innerHTML = this.sanitizer.sanitize(SecurityContext.HTML, this.sanitizer.bypassSecurityTrustHtml(data.html));

      });

  }

  getScriptFromBackend(): Observable<any> {
    return this.http.get('http://localhost:3000/test').pipe()

  }
  ngOnInit() {

  }

}

and in first.component.html add the below line

<div  id="myScriptLoader"></div>

this need also little workaround in server-side to return script over SVG onload event like below

  var result={'html':'<svg onload=\"alert(123)\">  </svg>'};
  res.send(result)

enter image description here

MHassan
  • 415
  • 4
  • 9
  • return angular.bypassSecurityTrustHtml(sanitizedContent); .. angular ? – Jagadeesh Jul 10 '21 at 09:20
  • @Jagadeesh check the answer again – MHassan Jul 10 '21 at 09:24
  • @Jagadeesh full description described here in angular online [documentation ](https://angular.io/api/platform-browser/DomSanitizer) – MHassan Jul 10 '21 at 09:28
  • Hi, It doesnt work . SafeValue must use [property]=binding: (see http://g.co/ng/security#xss) .. also tried with property binding. – Jagadeesh Jul 10 '21 at 09:42
  • {{htmlToAdd| safeHtml}}
    {{htmlToAdd| safeHtml}}
    .. the above two elements giving me these responses. SafeValue must use [property]=binding: (see http://g.co/ng/security#xss) alert('test');     – Jagadeesh Jul 10 '21 at 09:44
  • ok try to write using this way
    – MHassan Jul 10 '21 at 09:53
  • Tried in the above way .. ERROR Error: Required a safe HTML, got a Script (see http://g.co/ng/security#xss) at DomSanitizerImpl.push../node_modules/@angular/platform-browser/fesm5/platform-browser.js.DomSanitizerImpl.checkNotSafeValu – Jagadeesh Jul 10 '21 at 10:00
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/234717/discussion-between-mohamed-hassan-and-jagadeesh). – MHassan Jul 10 '21 at 10:01
  • @Jagadeesh working with me in this scenrio – MHassan Jul 10 '21 at 16:09
  • Hi , Thanks alert is working but there are indepth js scripting included in my response api like cdn links are imported with script tag and jquery is loaded by it and navigation should occur. " " any thing can be done for this ? – Jagadeesh Jul 11 '21 at 06:10
  • Actually no this the max you can reach using this work around try to inject script within these limitations . Please mark this as right solution so it can be useful for others – MHassan Jul 11 '21 at 06:21