NGHTMLUtilities.createElementStringWithAttributes() does not escape attribute values, making any binding-supplied attribute value an XSS vector.
Affected elements
Any element that uses addAssociationValuesToAttributes() or createElementStringWithAttributes() to emit binding-driven attribute values:
NGTextFieldNGPopUpButtonNGCheckboxNGForm (pass-through attributes)NGSubmitButtonNGHyperlinkNGGenericElementNGGenericContainer
Example attack
A binding value like " onclick="alert('xss') written into any pass-through attribute results in script execution in the rendered page.
Fix
Escape attribute values when emitting them. Content escaping is already correct in NGString/NGText — this is the symmetric fix for attribute context. Should be a single fix in the utility method with broad impact across the element library.
Severity
Critical — broad XSS surface across most form elements. M2 blocker.
NGHTMLUtilities.createElementStringWithAttributes()does not escape attribute values, making any binding-supplied attribute value an XSS vector.Affected elements
Any element that uses
addAssociationValuesToAttributes()orcreateElementStringWithAttributes()to emit binding-driven attribute values:NGTextFieldNGPopUpButtonNGCheckboxNGForm(pass-through attributes)NGSubmitButtonNGHyperlinkNGGenericElementNGGenericContainerExample attack
A binding value like
" onclick="alert('xss')written into any pass-through attribute results in script execution in the rendered page.Fix
Escape attribute values when emitting them. Content escaping is already correct in
NGString/NGText— this is the symmetric fix for attribute context. Should be a single fix in the utility method with broad impact across the element library.Severity
Critical — broad XSS surface across most form elements. M2 blocker.