Hacker News new | past | comments | ask | show | jobs | submit login

I bet there are a lot more production angular apps out there than people think that have this vulnerability right now.



From the research I have done, this is a true statement. The reason being is people are adding Angular into their web apps that were initially built with an MVC framework of some sort.

The problem ends up being that they mix server side templates with client side templates. If user input is rendered in a server side template and ends up in an element that is part of the Angular scope, the expression will evaluate. So attaching an angular controller to your body tag and then including server side templates within the body, is bad...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: