...
An Abusive Relationship with AngularJS by Mario Heiderich
Access Control Issues:
An excerpt from https://docs.angularjs.org/guide/security:
"If an attacker has access to control Angular templates or expressions, they can exploit an Angular application via an XSS attack, regardless of the version.
There are a number of ways that templates and expressions can be controlled:
- Generating Angular templates on the server containing user-provided content. This is the most common pitfall where you are generating HTML via some server-side engine such as PHP, Java or ASP.NET.
- Passing an expression generated from user-provided content in calls to the following methods on a scope:
- $watch(userContent, ...)
- $watchGroup(userContent, ...)
- $watchCollection(userContent, ...)
- $eval(userContent)
- $evalAsync(userContent)
- $apply(userContent)
- $applyAsync(userContent)
- Passing an expression generated from user-provided content in calls to services that parse expressions:
- $compile(userContent)
- $parse(userContent)
- $interpolate(userContent)
- Passing an expression generated from user provided content as a predicate to orderBy pipe:
value | orderBy : userContent"