Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @angular/core

Summary

Angular is a development platform for building mobile and desktop web applications using TypeScript, JavaScript, and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 contain a Cross-Site Scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU (International Components for Unicode) messages, HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves extracting messages from an application in the source language, sending them for translation, and merging the translations back into the final source code. Translations are often handled by external contractors. If returned translations contain malicious content, that content could be rendered by the application and execute arbitrary JavaScript in the application origin. Successful exploitation may allow execution of attacker-controlled JavaScript, potentially leading to credential exfiltration or page modification. Several preconditions apply. An attacker must first compromise the translation file, such as "xliff" or "xtb". Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. The victim application must use Angular i18n, include one or more ICU messages, render an ICU message, and not mitigate XSS through a strict Content Security Policy. This issue is patched in versions 21.2.0, 21.1.16, 20.3.17, and 19.2.19. Until the patch is applied, developers should review and verify translated content received from untrusted third parties before incorporating it into an Angular application, enable strict Content Security Policy controls, and enable Trusted Types to enforce proper HTML sanitization.