Created
October 29, 2024 09:07
-
-
Save plowsec/eff1f493fddac397de695c6f22ab14fc to your computer and use it in GitHub Desktop.
Things to grep when auditing Angular codebase
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bypassSecurityTrustHtml | |
| bypassSecurityTrustStyle | |
| bypassSecurityTrustScript | |
| bypassSecurityTrustUrl | |
| bypassSecurityTrustResourceUrl | |
| innerHTML | |
| outerHTML | |
| insertAdjacentHTML | |
| document.write | |
| eval( | |
| Function( | |
| setTimeout( (with string parameter) | |
| setInterval( (with string parameter) | |
| ng-bind-html (without sanitization) | |
| [innerHTML]= | |
| [attr.href]= (especially with user input) | |
| [attr.src]= (especially with user input) | |
| [style]= (especially with user input) | |
| dangerouslySetInnerHTML (if using React components) | |
| DomSanitizer.sanitize(SecurityContext.HTML, | |
| DomSanitizer.sanitize(SecurityContext.STYLE, | |
| DomSanitizer.sanitize(SecurityContext.SCRIPT, | |
| DomSanitizer.sanitize(SecurityContext.URL, | |
| DomSanitizer.sanitize(SecurityContext.RESOURCE_URL, | |
| ElementRef.nativeElement (direct DOM manipulation) | |
| Renderer2.setProperty (when setting innerHTML) | |
| document.createElement (when used to create script tags) | |
| .createComment (when used with user input) | |
| .createTextNode (when used with user input) | |
| location.href= (especially with user input) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment