mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
The `parseUrl` function in `ServerPlatformLocation` uses `new URL(urlStr, origin)` to parse incoming request URLs during SSR. Per the WHATWG URL specification, protocol-relative URLs (`//evil.com`) and backslash-prefixed URLs (`/\evil.com`) can override the hostname component of the base URL. This vulnerability typically manifests in SSR setups (e.g., Express) where `req.url` is passed directly to `renderApplication` or `renderModule`: ```typescript // Example usage in an Express server handling: http://localhost:4000//evil.com app.get('*', async (req, res) => { const html = await renderApplication(bootstrap, { document: template, url: req.url, // req.url is "//evil.com" }); res.send(html); }); ``` |
||
|---|---|---|
| .. | ||
| domino_adapter.ts | ||
| http.ts | ||
| location.ts | ||
| platform-server.ts | ||
| platform_state.ts | ||
| private_export.ts | ||
| provide_server.ts | ||
| server.ts | ||
| server_events.ts | ||
| tokens.ts | ||
| transfer_state.ts | ||
| types.d.ts | ||
| utils.ts | ||
| version.ts | ||