js · @angular/platform-serverCritical
@angular/platform-server XSS via <noscript> serialization in domino
A Cross-Site Scripting (XSS) vulnerability in @angular/platform-server's DOM emulation dependency (domino) when serializing <noscript> elements.
What changed
A Cross-Site Scripting (XSS) vulnerability in @angular/platform-server's DOM emulation dependency (domino) when serializing <noscript> elements. The serializer omitted <noscript> from raw-text elements requiring closing-tag escaping, allowing unescaped </noscript> to close the block early and inject scripts.
Who it affects
Users of @angular/platform-server who render dynamic text inside <noscript> elements via SSR.
What to do today
Update @angular/platform-server to patched versions: 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25. If unable, avoid binding user-controlled values inside <noscript> or sanitize input to strip </noscript>.
The trail
Collected→
Audited→
Written→
Published