Description
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping <option> elements in <select> ones changes parsing behavior, leading to possibly unsanitizing code.
Recommendation
Update the angular package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.8.0
- Patched version(s): 1.8.0
References
Related Issues
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter - CVE-2020-19697
- Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter - CVE-2020-19698
- nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Tags:
- npm
- angular
Anything's wrong? Let us know Last updated on November 20, 2025