-
Bug
-
Resolution: Not a Bug
-
Medium
-
Dublin Release
-
SDNC Dublin Spr 3 3/11 - 3/29, SDNC Fr Sp2:11/23-12/13
Need to confirm that user-provided content is not used in any Angular templates. Otherwise, it would be possible for embed malicious content to perform remote code execution (RCE) or cross site scripting (XSS).
If it is necessary to use allow user-provided content in an Angular script, it is recommended that it is only present in a template made inert via the {@link ngNonBindable} directive.
See https://github.com/angular/angular.js/issues/14939 for further details.