Angular against XSS

Question

I want to use Angular and I found this about the security: https://angular.io/guide/security Is it right that only the usage of angular will protect you against all XSS attacks? No matter whether the data comes from the database or input from users?

user3467955 · Accepted Answer

TL;DR - Yes, kind of. It depends in the Angular version that you use.

Untrusted as default

Today, Angular uses the sanitize function for each of the variables you insert into the template, unless you will tell it otherwise (using bypass functions). The function itself is pretty safe to use, and it covers most of the contexts, including - HTML, Style (CSS), hrefs (from javascript: for example). Furthermore, Angular will notify you (using the browser console) for every change that the "sanitize" function makes.

Where Angular won't cover you

Using server side template in order to create HTML, or using the template injection in resoource urls (for example

How to solve it?

There are a lot of techniques, but the safest and the state-of-the-art today is CSP (content-security-policy), you can create and evaluate your CSP using a tool that Google created

XSS in older versions of Angular

In older versions of Angular (such as 1.5), there were a series of "template injection" vulnerabilities, i.e. a malicious use could use the {{}} brackets in order to inject his own controlled input as an HTML. For example, if a user is using this template:

    {{username}}

he could choose a username to be "alert(alert(document.cookie))", and the result will be:

Meaning he could inject HTML directly into the page itself. Angular tried to fix it through the years, without much success (until few versions ago).

Angular against XSS

Answers (2)

Untrusted as default

Where Angular won't cover you

How to solve it?

XSS in older versions of Angular

Related Questions