Skip to content

fix(@angular/build): prevent HTML injection from inlined font CSS#33552

Open
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/inline-font-css-html-injection
Open

fix(@angular/build): prevent HTML injection from inlined font CSS#33552
SkyZeroZx wants to merge 1 commit into
angular:mainfrom
SkyZeroZx:fix/inline-font-css-html-injection

Conversation

@SkyZeroZx

@SkyZeroZx SkyZeroZx commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Remote font CSS is embedded into a raw-text style element. Escape closing style tags so a compromised allowlisted response cannot terminate the style element and inject nonce-bearing markup.

For example, an attacker controlling the CSS response from an allowlisted font provider ,through provider, cache, or trusted HTTPS proxy compromise , could include </style><script>evil</script>.

During a production build, Angular embedded this response inside a <style> element, turning external CSS into executable first-party JavaScript. If the application used ngCspNonce, later processing also copied the trusted nonce onto the injected script, allowing it to execute under a nonce based CSP. This commit neutralizes closing </style> sequences before embedding the CSS into generated HTML.

Remote font CSS is embedded into a raw-text style element. Escape closing style tags so a compromised allowlisted response cannot terminate the style element and inject nonce-bearing markup.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a potential security vulnerability by escaping closing style tags (e.g., </style>) within inlined CSS content to prevent them from prematurely terminating the generated raw-text style element. It also adds a corresponding unit test to verify that closing style tags are correctly escaped and do not lead to arbitrary HTML injection. I have no feedback to provide as there are no review comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant