Which @angular/* package(s) are the source of the bug?
platform-server/domino
Is this a regression?
No
Description
When Angular SSR (@angular/platform-server, which uses @angular/domino) renders text inside a <noscript> element via {{ value }} or [textContent], the value is written to the SSR response without escaping.
If the value contains </noscript>, the noscript element closes early in the HTML sent to the browser, and any markup after it including <script> is parsed and executed normally, same-origin.
Text bindings ({{ }}, [textContent]) are assumed safe by developers. They are not safe inside <noscript> under SSR.
Which @angular/* package(s) are the source of the bug?
platform-server/domino
Is this a regression?
No
Description
When Angular SSR (
@angular/platform-server, which uses@angular/domino) renders text inside a<noscript>element via{{ value }}or[textContent], the value is written to the SSR response without escaping.If the value contains
</noscript>, the noscript element closes early in the HTML sent to the browser, and any markup after it including<script>is parsed and executed normally, same-origin.Text bindings (
{{ }},[textContent]) are assumed safe by developers. They are not safe inside<noscript>under SSR.