fix(@angular/build): escape prerender redirect URLs#33248
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces HTML escaping for redirect URLs in static pages to prevent HTML injection vulnerabilities. It adds an escapeHtml utility and updates the generateRedirectStaticPage function to apply this escaping to both the meta refresh tag and the fallback link. Additionally, E2E tests have been included to verify the fix. The reviewer pointed out that while HTML escaping prevents tag injection, it does not protect against malicious URI schemes like javascript:, and recommended adding protocol validation for the redirect URL.
| * @returns The HTML content of the static redirect page. | ||
| */ | ||
| export function generateRedirectStaticPage(url: string): string { | ||
| const escapedUrl = escapeHtml(url); |
There was a problem hiding this comment.
While escapeHtml prevents HTML injection by escaping characters that could break out of the attribute or tag context, it does not protect against XSS via malicious URI schemes such as javascript:. If the redirect URL is attacker-controlled (as suggested in the PR description), an attacker could provide a javascript: URL that would still execute when the user clicks the fallback link or when the browser processes the meta refresh. Consider validating that the URL uses an allowed protocol (e.g. http:, https:, or is a relative path starting with /).
References
- Avoid placing a comma immediately after abbreviations like 'e.g.' in user-facing messages. (link)
There was a problem hiding this comment.
Fixed, now it should throw an exception if we find an invalid scheme (it was also wonder me this and I forgot that javascript: was also an executable, although it only happens if you click on the href, but meta redirect doesn't work)
Escape prerender redirect targets before embedding them in generated static redirect pages. This prevents attacker-controlled redirect URLs from breaking out of the meta refresh, anchor href, or fallback text contexts and injecting HTML that could lead to XSS.
alan-agius4
left a comment
alan-agius4
left a comment
There was a problem hiding this comment.
I have reservations about this change.
It assumes the attacker can already modify the source code on your machine or alter the database if the routes are built dynamically. If an attacker already has that level of access, they could inflict far worse damage anyway.
| return text.replace(/[&<>"']/g, (character) => htmlEscapeCharacters[character]); | ||
| } | ||
|
|
||
| function validateRedirectUrl(url: string): string { |
There was a problem hiding this comment.
Validation shouldn't happen here, it should happen why before during the extraction phase.
There was a problem hiding this comment.
It assumes the attacker can already modify the source code on your machine or alter the database if the routes are built dynamically. If an attacker already has that level of access, they could inflict far worse damage anyway.
In this regard, it is possible that we might use a third-party API that could be compromised; if that happens, the impact, instead of affecting only one company/person, would extend far beyond that.
2 participants
Escape prerender redirect targets before embedding them in generated static
redirect pages.
This prevents attacker-controlled redirect URLs from breaking out of the meta
refresh, anchor href, or fallback text contexts and injecting HTML that could
lead to XSS.
Add server-routes static e2e coverage for an HTML-breaking redirect target.