pwneglyph logo

Note

web javascript angular xss bypasssecuritytrusthtml innerhtml

Reach data into DomSanitizer.bypassSecurityTrustHtml() bound to [innerHTML] to disable Angular's sanitization.

bypassSecurityTrustHtml + [innerHTML] as the Final Angular Sink

bypassSecurityTrustHtml explicitly disables Angular's normal HTML sanitization for the marked string. If untrusted data reaches that call, the framework is no longer your defense.

Why It Works

  • The marked string is rendered as raw HTML via [innerHTML], executing any active markup it contains.

Vulnerable Pattern

  • Article renderers or CMS views calling DomSanitizer.bypassSecurityTrustHtml(data.content) and binding the result to [innerHTML].

Exploit Flow

  1. Identify which field becomes trusted HTML.
  2. Redirect or control the data source returning that field, then embed active HTML.

Variations

  • Trusted styles, trusted resource URLs, or indirect wrappers ending up in the same sink class.

Common Blockers

  • Data source not fully attacker-controlled, or CSP blocking the chosen payload family.

PoC Sketch

{"content":"<img src=x onerror=alert(1)>"}

Good Situations To Use It

  • An Angular view trusts a content field via bypassSecurityTrustHtml.
  • You control that data source (often via CSPT / upload confusion).
  • CSP allows the payload family.

Sources

  • fcsc2026/web/deep_blue