fix(compiler): disallow static i18n url attributes (XSS)#68557
Conversation
josephperrott
left a comment
There was a problem hiding this comment.
LGTM
Reviewed-for: fw-security
Reject translated static URL attributes so localized href and action values cannot bypass Angular URL sanitization.
6b3b3a7 to
cbd938c
Compare
|
Thanks for the contribution. We agree there is a security concern here, but this implementation isn't the correct approach. Refer to PR #68591 for more context. |
|
Thanks, understood. Just to keep the disclosure trail clear: I understand this PR is superseded by #68591 because my implementation is too narrow / not the preferred fix direction. I also understand the underlying vulnerability condition is still valid, since you confirmed there is a security concern here. For traceability, this PR was intended to address one concrete manifestation of the i18n security gap: translated static i18n attributes were not consistently resolved against Angular’s DOM security schema, so security-sensitive attributes could bypass the sanitizer/validator path Angular applies elsewhere. From #68591, the broader maintainer-owned fix appears to address the root cause by resolving the security context from SECURITY_SCHEMA for i18n static attributes and applying the corresponding sanitizer or validateAttribute path. I’ll reference #68591 as the canonical remediation path for the security report, and treat this PR as superseded rather than invalid. For this PR specifically, the concrete case was translated static URL attributes such as href/action/formaction |
This fix addresses an XSS issue in Angular i18n where translated static URL
attributes could be emitted without going through Angular's URL sanitization.
Summary: XSS in Angular i18n: translated URL attributes bypass URL sanitization and execute javascript: href/action values.
Angular already sanitizes translated URL attributes when the value is produced
from a binding or interpolation. Static translated attributes take a separate
compiler path, so a translated
href,action, orformactionvalue could beapplied as a constant URL value instead of being sanitized.
This PR follows disclosure guidance from Google OSS VRP to work with the
Angular maintainers through a public pull request.
Changes:
SecurityContext.URLcollection
hrefandactiontranslationsPR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Static attributes marked for i18n are allowed even when Angular's DOM security
schema marks the attribute as a URL sink. Translated static URL values can be
emitted as constants instead of passing through URL sanitization.
Existing translated URL bindings and translated URL interpolations are already
sanitized, which means static translated URL attributes are the inconsistent
case.
Issue Number: N/A
What is the new behavior?
Angular rejects static URL attributes marked for translation, for example a
static
hreforactionwithi18n-hrefori18n-action.Translated URL bindings and interpolations remain supported and continue to use
the existing sanitizer path.
Does this PR introduce a breaking change?
This may break applications that translate static URL attributes directly. Those
applications should use a binding or interpolation so Angular can sanitize the
translated URL value at runtime.
Other information
Validation run locally:
bazelisk test //packages/core/test:test --test_filter='security integration tests translation'bazelisk test //packages/core/test/acceptance:acceptance --test_filter='attribute sanitization'bazelisk test //packages/compiler/test:test --test_filter='i18n'npx --yes prettier@3.8.0 --check packages/compiler/src/render3/view/i18n/meta.ts packages/core/test/linker/security_integration_spec.tsgit diff --check -- packages/compiler/src/render3/view/i18n/meta.ts packages/core/test/linker/security_integration_spec.ts