Bug#1110226: marked as done (unblock: angular.js/1.8.3-3) (2/2)
From
Debian Bug Tracking System@21:1/5 to
All on Fri Aug 1 16:10:01 2025
[continued from previous message]
+ }
+ }
+ }
+
+ angular
+ .module('app', [])
+ .controller('AppCtrl', AppCtrl);
+ </script>
+</head>
+<body ng-app="app" ng-controller="AppCtrl as ctrl">
+</body>
+</html>
+`;
+
+const virtualConsole = new VirtualConsole();
+virtualConsole.sendTo(console);
+
+const dom = new JSDOM(html, {
+ runScripts: "dangerously",
+ resources: "usable",
+ virtualConsole
+});
+dom.window.process = process;
+
+dom.window.document.addEventListener("DOMContentLoaded", () => {
+ const angular = dom.window.angular;
+ angular.element(dom.window.document).ready(() => {
+ angular.bootstrap(dom.window.document, ['app']);
+ });
+});
+
diff -Nru angular.js-1.8.3/debian/tests/CVE-2023-26117-PoC.js angular.js-1.8.3/debian/tests/CVE-2023-26117-PoC.js
--- angular.js-1.8.3/debian/tests/CVE-2023-26117-PoC.js 1970-01-01 01:00:00.000000000 +0100
+++ angular.js-1.8.3/debian/tests/CVE-2023-26117-PoC.js 2025-07-19 22:50:13.000000000 +0200
@@ -0,0 +1,90 @@
+#!/usr/bin/env node
+
+const { JSDOM, VirtualConsole } = require("jsdom");
+const fs = require("fs");
+
+const angularPath = "/usr/share/javascript/angular.js/angular.min.js";
+const angularResource = "/usr/share/javascript/angular.js/angular-resource.min.js";
+const angularMocks = "/usr/share/javascript/angular.js/angular-mocks.js";
+
+const angularJS = fs.readFileSync(angularPath, "utf-8");
+const angularResourceJS = fs.readFileSync(angularResource, "utf-8");
+const angularMocksJS = fs.readFileSync(angularMocks, "utf-8");
+
+const html = `
+<!DOCTYPE html>
+<html>
+<head>
+ <script>${angularJS}</script>
+ <script>${angularResourceJS}</script>
+ <script>${angularMocksJS}</script>
+
+ <script>
+ class AppCtrl {
+ constructor($resource) {
+ this.$resour