Cross-site Scripting (XSS)
Description
This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify() function and then written into the HTML page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@scullyio/scullynpm | < 1.0.9 | 1.0.9 |
@scullyio/ng-libnpm | < 1.0.1 | 1.0.1 |
Affected products
3- @scullyio/scullydescription
- ghsa-coords2 versions
< 1.0.1+ 1 more
- (no CPE)range: < 1.0.1
- (no CPE)range: < 1.0.9
Patches
Vulnerability mechanics
Root cause
"Missing output encoding of user-controllable data before embedding it in the HTML page allows cross-site scripting."
Attack vector
An attacker who can control data that ends up in the Angular transfer state (e.g., via a blog post title or other user-controllable content) can inject arbitrary HTML/JavaScript. When Scully serializes that state with `JSON.stringify()` and embeds it directly into the generated HTML page, the attacker's payload is executed in the browser of any visitor viewing that page. This is a classic stored Cross-Site Scripting (XSS) attack [CWE-79].
Affected code
The vulnerability resides in `libs/ng-lib/src/lib/transfer-state/transfer-state.service.ts` where the `saveState` method serialized the transfer state with `JSON.stringify()` and wrote it directly into the HTML page without escaping. The patch also updates `libs/scully/src/lib/systemPlugins/writeToFs.plugin.ts` and `tests/jest/src/test-config.helper.ts` to use the new escaping/unescaping functions.
What the fix does
The patch introduces a custom `escapeHtml()` function that replaces single quotes (`'`), slashes (`/`), less-than (`<`), greater-than (`>`), and newlines with safe placeholder tokens (e.g., `_~q~`, `_~s~`, `_~l~`, `_~g~`). The `saveState` method now calls `escapeHtml()` on the JSON string before embedding it in the HTML, and the client-side `_u()` function reverses the escaping at runtime. This prevents an attacker from breaking out of the JavaScript context or injecting HTML tags because the dangerous characters are neutralized before they reach the page.
Preconditions
- inputThe attacker must be able to inject content into data that is serialized into the Angular transfer state (e.g., a blog post title, comment, or other user-controllable field).
- configThe application must use Scully's transfer state mechanism to embed state in the generated HTML page.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-r96p-v3cr-gfv8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28470ghsaADVISORY
- github.com/scullyio/scully/pull/1182ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-SCULLYIOSCULLY-1055829ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.