Reputation: 12636
What are the Risks of Disabling ngSanitize?
What's the risk of allowing the user generate unsanitized html? I am using text-angular and want to use:
ta-unsafe-sanitizer="true"
https://github.com/fraywing/textAngular/issues/233
Now - I imagine 99.9% of the people reading this have no idea what text-angular is, so I am mainly interested in the overall consequences of allowing raw html.
Upvotes: 0
Views: 381
Answers (1)
Reputation: 3339
Assume that you have a form element with inputs, and the user insert to the input something like drop table users. If you have weak server code or some service that you have no idea what it's security level you can loose your data.
Now, this is an example. There is a lot of ways to do bad things in similiar way.
Other example is to insert to images src some url with query paramters like
<img
src='http://somehackingsite.com/images/lol.png?userIp="some scriptor other hacking style"' />
AngularJs offers a way to solve it by ngSanitize
Sanitizes an html string by stripping all potentially dangerous tokens.
The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are then serialized back to properly escaped html string. This means that no unsafe input can make it into the returned string.
The whitelist for URL sanitization of attribute values is configured using the functions aHrefSanitizationWhitelist and imgSrcSanitizationWhitelist of $compileProvider.
Upvotes: 1
Related Questions
- Angular WARNING: sanitizing unsafe style value
- What is the purpose of angular-sanitize ?
- AngularJS and Sanitize - Sanitize HTML without ngBind Directive
- What, exactly, does ngSanitize protect me from?
- What Sanitize modules are for?
- Sanitize Angular JS with double curly bracers
- Angular: Can I completely disable sanitizing?
- Is AngularJS's ngSanitize supposed to fix tags?
- sanitize text input from textangular
- Proper use of AngularJS' $sanitize service?