fix(@angular/build): escape prerender redirect URLs#33248
Conversation
Sorry, something went wrong.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces HTML escaping for redirect URLs in static pages to prevent HTML injection vulnerabilities. It adds an escapeHtml utility and updates the generateRedirectStaticPage function to apply this escaping to both the meta refresh tag and the fallback link. Additionally, E2E tests have been included to verify the fix. The reviewer pointed out that while HTML escaping prevents tag injection, it does not protect against malicious URI schemes like javascript:, and recommended adding protocol validation for the redirect URL.
Sorry, something went wrong.
alan-agius4
left a comment
alan-agius4
left a comment
There was a problem hiding this comment.
I have reservations about this change.
It assumes the attacker can already modify the source code on your machine or alter the database if the routes are built dynamically. If an attacker already has that level of access, they could inflict far worse damage anyway.
Sorry, something went wrong.
Escape prerender redirect targets before embedding them in generated static redirect pages. This prevents attacker-controlled redirect URLs from breaking out of the meta refresh, anchor href, or fallback text contexts and injecting HTML that could lead to XSS.
Escape prerender redirect targets before embedding them in generated static
redirect pages.
This prevents attacker-controlled redirect URLs from breaking out of the meta
refresh, anchor href, or fallback text contexts and injecting HTML that could
lead to XSS.
Add server-routes static e2e coverage for an HTML-breaking redirect target.