fix(@angular/build): escape prerender redirect URLs

Escape prerender redirect targets before embedding them in generated static
redirect pages.

This prevents attacker-controlled redirect URLs from breaking out of the meta
refresh, anchor href, or fallback text contexts and injecting HTML that could
lead to XSS.

Author: SkyZeroZx

packages/angular/build/src/utils/server-rendering/prerender.ts

@@ -253,7 +253,17 @@ async function renderPages(
       const outPath = stripLeadingSlash(posix.join(routeWithoutBaseHref, 'index.html'));
 
       if (typeof redirectTo === 'string') {
-        output[outPath] = { content: generateRedirectStaticPage(redirectTo), appShellRoute: false };
+        try {
+          output[outPath] = {
+            content: generateRedirectStaticPage(redirectTo),
+            appShellRoute: false,
+          };
+        } catch (err) {
+          assertIsError(err);
+          errors.push(
+            `An error occurred while prerendering route '${route}'.\n\n${err.stack ?? err.message ?? err.code ?? err}`,
+          );
+        }
 
         continue;
       }

packages/angular/build/src/utils/server-rendering/utils.ts

@@ -22,6 +22,56 @@ export function isSsrRequestHandler(
   return typeof value === 'function' && '__ng_request_handler__' in value;
 }
 
+const htmlEscapeCharacters: Record<string, string> = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;',
+};
+const urlSchemeRegex = /^(?:[a-zA-Z][a-zA-Z0-9+\-.]*:)/;
+const invalidRedirectUrlCharacters = /[\u0000-\u0020\u007F\\]/;
+const allowedRedirectProtocols = new Set(['http:', 'https:']);
+
+function escapeHtml(text: string): string {
+  return text.replace(/[&<>"']/g, (character) => htmlEscapeCharacters[character]);
+}
+
+function validateRedirectUrl(url: string): string {
+  if (invalidRedirectUrlCharacters.test(url)) {
+    throw new Error(
+      'Invalid redirect URL. Static redirects only support HTTP(S) URLs and same-origin absolute paths.',
+    );
+  }
+
+  if (url.startsWith('/') && !url.startsWith('//')) {
+    return url;
+  }
+
+  if (!urlSchemeRegex.test(url)) {
+    throw new Error(
+      'Invalid redirect URL. Static redirects only support HTTP(S) URLs and same-origin absolute paths.',
+    );
+  }
+
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    throw new Error(
+      'Invalid redirect URL. Static redirects only support HTTP(S) URLs and same-origin absolute paths.',
+    );
+  }
+
+  if (!allowedRedirectProtocols.has(parsedUrl.protocol)) {
+    throw new Error(
+      `Unsupported redirect URL protocol "${parsedUrl.protocol}". Static redirects only support HTTP(S) URLs and same-origin absolute paths.`,
+    );
+  }
+
+  return url;
+}
+
 /**
  * Generates a static HTML page with a meta refresh tag to redirect the user to a specified URL.
  *
@@ -32,16 +82,19 @@ export function isSsrRequestHandler(
  * @returns The HTML content of the static redirect page.
  */
 export function generateRedirectStaticPage(url: string): string {
+  const safeUrl = validateRedirectUrl(url);
+  const escapedUrl = escapeHtml(safeUrl);
+
   return `
 <!DOCTYPE html>
 <html>
   <head>
     <meta charset="utf-8">
     <title>Redirecting</title>
-    <meta http-equiv="refresh" content="0; url=${url}">
+    <meta http-equiv="refresh" content="0; url=${escapedUrl}">
   </head>
   <body>
-    <pre>Redirecting to <a href="${url}">${url}</a></pre>
+    <pre>Redirecting to <a href="${escapedUrl}">${escapedUrl}</a></pre>
   </body>
 </html>
 `.trim();

tests/e2e/tests/build/server-rendering/server-routes-output-mode-static.ts

@@ -4,6 +4,7 @@ import assert from 'node:assert';
 import {
   expectFileNotToExist,
   expectFileToMatch,
+  readFile,
   replaceInFile,
   writeFile,
 } from '../../../utils/fs';
@@ -48,6 +49,18 @@ export default async function () {
       path: 'ssg-redirect',
       redirectTo: 'ssg'
     },
+    {
+      path: 'ssg-redirect-xss',
+      redirectTo: '/ssg"><script>alert(1)</script>&q=x'
+    },
+    {
+      path: 'ssg-redirect-external',
+      component: Ssg,
+    },
+    {
+      path: 'ssg-redirect-unsafe-url',
+      component: Ssg,
+    },
     {
       path: 'ssg-redirect-via-guard',
       canActivate: [() => {
@@ -73,6 +86,11 @@ export default async function () {
   import { RenderMode, ServerRoute } from '@angular/ssr';
 
   export const serverRoutes: ServerRoute[] = [
+    {
+      path: 'ssg-redirect-external',
+      renderMode: RenderMode.Prerender,
+      headers: { Location: 'https://example.com/docs?from=ssg' },
+    },
     {
       path: 'ssg/:id',
       renderMode: RenderMode.Prerender,
@@ -108,21 +126,81 @@ export default async function () {
   await replaceInFile('src/app/app.routes.server.ts', 'RenderMode.Server', 'RenderMode.Prerender');
   await noSilentNg('build', '--output-mode=static');
 
-  const expects: Record<string, RegExp | string> = {
+  const escapedXssRedirectUrl = '/ssg&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&amp;q=x';
+  const expects: Record<string, RegExp | string | (RegExp | string)[]> = {
     'index.html': /ng-server-context="ssg".+home works!/,
     'ssg/index.html': /ng-server-context="ssg".+ssg works!/,
     'ssg/one/index.html': /ng-server-context="ssg".+ssg-with-params works!/,
     'ssg/two/index.html': /ng-server-context="ssg".+ssg-with-params works!/,
     // When static redirects are generated as meta tags.
     'ssg-redirect/index.html': '<meta http-equiv="refresh" content="0; url=/ssg">',
+    'ssg-redirect-xss/index.html': [
+      `<meta http-equiv="refresh" content="0; url=${escapedXssRedirectUrl}">`,
+      `<a href="${escapedXssRedirectUrl}">${escapedXssRedirectUrl}</a>`,
+    ],
+    'ssg-redirect-external/index.html': [
+      '<meta http-equiv="refresh" content="0; url=https://example.com/docs?from=ssg">',
+      '<a href="https://example.com/docs?from=ssg">https://example.com/docs?from=ssg</a>',
+    ],
     'ssg-redirect-via-guard/index.html':
       '<meta http-equiv="refresh" content="0; url=/ssg?foo=bar">',
   };
 
-  for (const [filePath, fileMatch] of Object.entries(expects)) {
-    await expectFileToMatch(join('dist/test-project/browser', filePath), fileMatch);
+  for (const [filePath, fileMatches] of Object.entries(expects)) {
+    for (const fileMatch of Array.isArray(fileMatches) ? fileMatches : [fileMatches]) {
+      await expectFileToMatch(join('dist/test-project/browser', filePath), fileMatch);
+    }
   }
 
+  const xssRedirectHtml = await readFile(
+    join('dist/test-project/browser', 'ssg-redirect-xss/index.html'),
+  );
+  assert.doesNotMatch(xssRedirectHtml, /<script>alert\(1\)<\/script>/);
+
+  await replaceInFile(
+    'src/app/app.routes.server.ts',
+    `{
+      path: '**',
+      renderMode: RenderMode.Prerender,
+    },`,
+    `{
+      path: 'ssg-redirect-unsafe-url',
+      renderMode: RenderMode.Prerender,
+      headers: { Location: 'javascript:alert(1)' },
+    },
+    {
+      path: '**',
+      renderMode: RenderMode.Prerender,
+    },`,
+  );
+
+  const { message: unsafeProtocolErrorMessage } = await expectToFail(() =>
+    noSilentNg('build', '--output-mode=static'),
+  );
+  assert.match(
+    unsafeProtocolErrorMessage,
+    /An error occurred while prerendering route '\/ssg-redirect-unsafe-url'/,
+  );
+  assert.match(unsafeProtocolErrorMessage, /Unsupported redirect URL protocol "javascript:"/);
+
+  await replaceInFile(
+    'src/app/app.routes.server.ts',
+    `headers: { Location: 'javascript:alert(1)' },`,
+    `headers: { Location: '/\\\\evil.com' },`,
+  );
+
+  const { message: backslashRedirectErrorMessage } = await expectToFail(() =>
+    noSilentNg('build', '--output-mode=static'),
+  );
+  assert.match(
+    backslashRedirectErrorMessage,
+    /An error occurred while prerendering route '\/ssg-redirect-unsafe-url'/,
+  );
+  assert.match(
+    backslashRedirectErrorMessage,
+    /Invalid redirect URL\. Static redirects only support HTTP\(S\) URLs and same-origin absolute paths\./,
+  );
+
   // Check that server directory does not exist
   assert(
     !existsSync('dist/test-project/server'),