1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From: Alister Stevens <alister@pebblepad.co.uk>
Date: Tue, 6 May 2025 13:40:27 +0100
Subject: Fix improper sanitisation of href and xlink:href on SVG image
elements
Fix CVE-2025-0716
origin: backport, https://github.com/PebblePad/angular.js/commit/71513129efd044c09e52d47455d73c62ff3287d8
bug: https://www.herodevs.com/vulnerability-directory/cve-2025-0716?angularjs-nes
bug-poc: https://codepen.io/herodevs/pen/qEWQmpd/a86a0d29310e12c7a3756768e6c7b915
---
src/ng/compile.js | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/ng/compile.js b/src/ng/compile.js
index 8e7cf98..c525895 100644
--- a/src/ng/compile.js
+++ b/src/ng/compile.js
@@ -3807,6 +3807,11 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
(nodeName === 'link' && attrNormalizedName === 'href')
) {
return $sce.RESOURCE_URL;
+ } else if (
+ // SVG image href can be abused (content spoofing)
+ (nodeName === "image") && (attrNormalizedName === 'href' || attrNormalizedName === 'ngHref')
+ ) {
+ return $sce.MEDIA_URL;
} else if (nodeName === 'a' && (attrNormalizedName === 'href' ||
attrNormalizedName === 'ngHref')) {
return $sce.URL;
|
