fix(@angular/build): escape prerender redirect URLs

Escape prerender redirect targets before embedding them in generated static
redirect pages.

This prevents attacker-controlled redirect URLs from breaking out of the meta
refresh, anchor href, or fallback text contexts and injecting HTML that could
lead to XSS.

Author: SkyZeroZx

packages/angular/build/src/utils/server-rendering/utils.ts

@@ -22,6 +22,18 @@ export function isSsrRequestHandler(
   return typeof value === 'function' && '__ng_request_handler__' in value;
 }
 
+const htmlEscapeCharacters: Record<string, string> = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#39;',
+};
+
+function escapeHtml(text: string): string {
+  return text.replace(/[&<>"']/g, (character) => htmlEscapeCharacters[character]);
+}
+
 /**
  * Generates a static HTML page with a meta refresh tag to redirect the user to a specified URL.
  *
@@ -32,16 +44,18 @@ export function isSsrRequestHandler(
  * @returns The HTML content of the static redirect page.
  */
 export function generateRedirectStaticPage(url: string): string {
+  const escapedUrl = escapeHtml(url);
+
   return `
 <!DOCTYPE html>
 <html>
   <head>
     <meta charset="utf-8">
     <title>Redirecting</title>
-    <meta http-equiv="refresh" content="0; url=${url}">
+    <meta http-equiv="refresh" content="0; url=${escapedUrl}">
   </head>
   <body>
-    <pre>Redirecting to <a href="${url}">${url}</a></pre>
+    <pre>Redirecting to <a href="${escapedUrl}">${escapedUrl}</a></pre>
   </body>
 </html>
 `.trim();

tests/e2e/tests/build/server-rendering/server-routes-output-mode-static.ts

@@ -4,6 +4,7 @@ import assert from 'node:assert';
 import {
   expectFileNotToExist,
   expectFileToMatch,
+  readFile,
   replaceInFile,
   writeFile,
 } from '../../../utils/fs';
@@ -48,6 +49,10 @@ export default async function () {
       path: 'ssg-redirect',
       redirectTo: 'ssg'
     },
+    {
+      path: 'ssg-redirect-xss',
+      redirectTo: '/ssg"><script>alert(1)</script>&q=x'
+    },
     {
       path: 'ssg-redirect-via-guard',
       canActivate: [() => {
@@ -108,21 +113,33 @@ export default async function () {
   await replaceInFile('src/app/app.routes.server.ts', 'RenderMode.Server', 'RenderMode.Prerender');
   await noSilentNg('build', '--output-mode=static');
 
-  const expects: Record<string, RegExp | string> = {
+  const escapedXssRedirectUrl = '/ssg&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&amp;q=x';
+  const expects: Record<string, RegExp | string | (RegExp | string)[]> = {
     'index.html': /ng-server-context="ssg".+home works!/,
     'ssg/index.html': /ng-server-context="ssg".+ssg works!/,
     'ssg/one/index.html': /ng-server-context="ssg".+ssg-with-params works!/,
     'ssg/two/index.html': /ng-server-context="ssg".+ssg-with-params works!/,
     // When static redirects are generated as meta tags.
     'ssg-redirect/index.html': '<meta http-equiv="refresh" content="0; url=/ssg">',
+    'ssg-redirect-xss/index.html': [
+      `<meta http-equiv="refresh" content="0; url=${escapedXssRedirectUrl}">`,
+      `<a href="${escapedXssRedirectUrl}">${escapedXssRedirectUrl}</a>`,
+    ],
     'ssg-redirect-via-guard/index.html':
       '<meta http-equiv="refresh" content="0; url=/ssg?foo=bar">',
   };
 
-  for (const [filePath, fileMatch] of Object.entries(expects)) {
-    await expectFileToMatch(join('dist/test-project/browser', filePath), fileMatch);
+  for (const [filePath, fileMatches] of Object.entries(expects)) {
+    for (const fileMatch of Array.isArray(fileMatches) ? fileMatches : [fileMatches]) {
+      await expectFileToMatch(join('dist/test-project/browser', filePath), fileMatch);
+    }
   }
 
+  const xssRedirectHtml = await readFile(
+    join('dist/test-project/browser', 'ssg-redirect-xss/index.html'),
+  );
+  assert.doesNotMatch(xssRedirectHtml, /<script>alert\(1\)<\/script>/);
+
   // Check that server directory does not exist
   assert(
     !existsSync('dist/test-project/server'),