<!DOCTYPE html>
<html>
  <head>
    <title>Textarea XSS repro - Homepage</title>

    <meta name="author" content="XLTS.dev" />
    <meta
      name="description"
      content="A minimal reproduction of an AngularJS <textarea> XSS vulnerability on IE."
    />

    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
  </head>

  <body ng-app>
    <h1>Reproduction of AngularJS &lt;textarea&gt; XSS vulnerability</h1>

    <h2>Instructions</h2>
    <ol>
      <li>
        Populate the textarea with content that could be malicious when evaluated by AngularJS.
        For example, copy and paste the following text:<br />
        <code ng-non-bindable>{{ $eval.constructor('alert("Hacked!")')() }}</code>
      </li><br />
      <li>
        Navigate to a different page.
        Either type a URL in the browser address bar or click the following link:
        <a href="other.html">Other page</a>
      </li><br />
      <li>
        Come back to this page by clicking the browser's "Back" button.
      </li>
    </ol>

    <hr />

    <label for="textarea">Textarea:</label><br />
    <textarea id="textarea" cols="50"></textarea>

    <hr />

    <blockquote>
      <b>NOTE 1:</b>
      This vulnerability only affects Internet Explorer.
    </blockquote>

    <blockquote>
      <b>NOTE 2:</b>
      This vulnerability is fixed in <a href="https://xlts.dev/angularjs">XLTS for AngularJS v1.9.0</a>.
    </blockquote>

    <blockquote>
      <b>NOTE 3:</b>
      The source code for this Proof-Of-Concept can be found <a href="https://github.com/gkalpak/angularjs-poc-cve-2022-25869">on GitHub</a>.
    </blockquote>

    <script src="https://code.angularjs.org/1.8.2/angular.min.js"></script>
  </body>
</html>