Reputation: 2751
I'm pretty new to AngularJS and while coding editing and posting user comments (that are allowed to have HTML tags in them such as strong), I've often heard the term "trust HTML" in AngularJS-context. What does this mean? Why do we need to "trust" the HTML? Can users potentially inject some malicious HTML code? (Like a javascript injection)? I never really understood this. Why do we need to trust it? The current way I'm doing is a user posts a comment, it gets sanitized via mysqli_real_escape_string and stored into the Database, then later pulled out of the database and displayed using:
<span ng-bind-html="commentText"></span>
Is this dangerous? Am I asking to get hacked or "pwned"?
Also, the user's comments are allowed to have attributes like strong, italics, underline, etc., but not h1 or sup. Currently I have no filter for just allowing strong, italics, and underline. If I code one, or use a open source text editor, do I still need to worry about this "trust html" thing?
Upvotes: 3
Views: 873
Reputation: 218
You could potentially be vulnerable to XSS (Cross Site Scripting) attacks if you do not sanitize your user input before displaying it, potentially allowing attackers to inject code onto your website.
You need to make the decision: do I trust the data that the user gives me? and can I be sure that the data will be safe when I display it?
If trusted HTML is your thing, You can bypass the sanitize phase in angular. See this question for some more information: How can I display HTML in a <div> with Angular 1.2.0 - rc2
Upvotes: 1
Reputation: 268492
It's a matter of code serving it's intended purpose. If you are building a site that contains user profiles, and you want people to submit text describing themselves, you probably don't want them adding in logic to perform malicious activities when you load that text into the view for any user navigating to your site.
A while back TweetDeck was taken by the realization that JavaScript would be evaluated within tweets, and as a result, somebody got the clever idea to author a small bit of JavaScript that would self-click the retweet button as soon as the tweet is visible. You can imagine how quickly that became retweeted. The authors of TweetDeck (unintentionally) trusted Tweet text - they shouldn't have.
Read more: TweetDeck Was Hacked — And This Tweet Is Getting Retweeted Over And Over Again
Upvotes: 1
Reputation: 735
Blindly trusting html that your users provide can lead to a common vulnerability called Cross Site Scripting (often abbreviated as XSS). This vulnerability would allow your users to inject their own <script>
tags (and other clever ways to run javascript) which could cause some serious security issues.
To get around this, you can use ngSanitize
which will sanitize the html and ensure that those bad tags aren't used.
Upvotes: 1