July 12, 2026
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
AngularJS is a popular JavaScript framework that scans HTML nodes containing the ng-app attribute also known as an AngularJS directive…
By CyberForge
1 min read
DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
AngularJS is a popular JavaScript framework that scans HTML nodes containing the ng-app attribute also known as an AngularJS directive. Inspecting the page source I found
This means the entire body is an AngularJS application and anything wrapped in {{}} gets evaluated as JavaScript. To confirm this I submitted {{7*7}} in the search box. It returned 49 proving AngularJS was evaluating expressions on the page.
The lab title says angle brackets and double quotes are HTML-encoded so standard XSS payloads like
AngularJS has a sandbox that blocks direct access to dangerous functions like alert(). So {{alert(1)}} won't work. The bypass uses a built-in AngularJS function $on every function in JavaScript has a constructor property which gives access to the Function constructor. This lets you create and execute arbitrary JavaScript bypassing the sandbox entirely
{{$on.constructor('alert(1)')()}}
$on = built-in AngularJS function — allowed by sandbox .constructor = accesses the Function constructor ('alert(1)') = creates a new function with alert(1) as the body () = immediately executes it
Alert get fired. Lab solved.