What is the meaning of "trusted html" in AngularJS
I'm new to AngularJS, and when editing and posting user comments (who are allowed to have HTML tags in them, for example, strong ones), I've often heard the term "trusted HTML" in AngularJS context. What does it mean? Why do we need to "trust" HTML? Can users inject malicious HTML code? (How is javascript injection)? I never understood that. Why should we trust this? The current way I am doing is to post a user comment, it is flushed through mysqli_real_escape_string and stored in the database, then pulled from the database and displayed with:
<span ng-bind-html="commentText"></span>
Is it dangerous? Am I asking to get hacked or "pwned"?
Also, user comments can have attributes like strong, italic, underline, etc., but not h1 or sup. I currently don't have a filter to just highlight strong, italic and underline. If I code alone or use an open source text editor, do I still need to worry about this "trust html" thing?
source to share
It's a matter of code that serves this purpose. If you're building a site that contains user profiles and you want people to submit text that describes themselves, you probably don't want them to add logic to perform malicious actions when that text is loaded into a view for any user navigating to your site.
A back TweetDeck was taken to implement that JavaScript would be evaluated in tweets, and as a result, someone got the smart idea to create a small piece of JavaScript that would itself click the retweet button as soon as the tweet was visible. You can imagine how quickly this became revised. The authors of TweetDeck were (inadvertently) trusted with the text of the Tweet - they shouldn't have.
Read more: TweetDeck has been hacked - and this tweet is being rewritten over and over again
source to share
Blind trust in html that your users provide can lead to a common vulnerability called Cross Site Scripting (often abbreviated as XSS). This vulnerability will allow your users to inject their own tags <script>
(and other clever ways to run javascript), which can cause serious security issues.
To get around this, you can use ngSanitize
which will sanitize the html and ensure that those bad tags are not used.
source to share
You can potentially be vulnerable to XSS (Cross Site Scripting) attacks if you don't sanitize your user input before displaying it, potentially allowing attackers to inject code into your site.
You need to make a decision: should I trust the data that the user gives me? and can i be sure the data will be safe when i show it?
If trusted HTML is your thing, you can bypass the sanitization phase in angular. See this question for more information: How can I display HTML in a <div> with Angular 1.2.0 - rc2
source to share