![[@angular/compiler] Angular vulnerable to XSS in i18n attribute bindings](/assets/images/github_com_1773619471972.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 3
[@angular/compiler] Angular vulnerable to XSS in i18n attribute bindings
By GitHub2026๋
3์ 14์ผ
**[@angular/compiler] Angular vulnerable to XSS in i18n attribute bindings**
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. The following example illustrates the issue: <a href="{{maliciousUrl}}" i18n-href>Click me</a> The following attributes have been confirmed to be vulnerable: action background cite codebase data formaction href itemtype longdesc poster src xlink:href Impact When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables: Session Hijacking: Stealing session cookies and authentication tokens...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. The following example illustrates the issue: <a href="{{maliciousUrl}}" i18n-href>Click me</a> The following attributes have been confirmed to be vulnerable: action background cite codebase data formaction href itemtype longdesc poster src xlink:href Impact When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables: Session Hijacking: Stealing session cookies and authentication tokens...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.