Typeahead vulnerable to cross-site scripting attack

[RyanBard]

Plunker showing XSS with onClick and onMouseOver: http://plnkr.co/edit/STR8SfgvtUdNopDS5Lam?p=preview

Plunker seems to protect against automatically running a script tag, but I was able to reproduce that locally -- the alert runs after the typeaheadHighlight filter's strong tag moved beyond the closing angle bracket of the script tag.

Previous issue: #3175

[unitymarc]

Your use case is similar to, but not identical to the one I created in #3175 . In our case, the vulnerability seemed to be caused by an artificial condition we were introducing (which is why I closed it). I'd agree that this is substantially different, and appears to be an exploitable attack vector.

[RyanBard]

I wasn't careful about describing the script and strong tags and half of my comment got sanitized (I've now corrected this). I cross referenced the tickets.

[wesleycho]

I suspected this was a potential problem, which is why #4073 exists. The problem at its core is the custom bind-html-unsafe directive, which is a bit of a hack - we are in the process of getting rid of this last vestige present in the typeahead component.

[wesleycho]

This issue should now be fixed in master due to #4073 being resolved.