Clever Geek Handbook

Security functions in angularjs

Hi I would like to know about the security features of angular js. I have read that angular provides built-in protection against basic security holes.

  • Prevents cross-country scripting attacks.
  • Prevents HTML injection attacks.
  • Prevent XSRF protection for server side communication.

What is the best practice for building a secure angular app, are ngCsp, $ sce and $ sanitize really required for a secure webapp

+3


source to share


1 answer


You can enable AngularJS CSP support . More details here. Sample code below:

<!doctype html>
<html ng-app ng-csp>
...
...
</html>

ng-csp

forces you not to use code that can be entered like eval

and Function

. ng-sanitize from doc .

Input is sanitized by parsing HTML into tokens. All safe tokens (whitelisted) are then serialized back into a properly escaped html string. This means that unsafe input may, however, since our parser is stricter than a typical browser parser, it is possible that some obscure input that will be recognized as valid HTML by the browser will not pass through the sanitizer. The input can also contain SVG markup. Whitelist using functions aHrefSanitizationWhitelist

and imgSrcSanitizationWhitelist

from $ compileProvider

.



You just can't attach the world code with innerHTML.

For $ sce, you can refer to following links. TrustasHTML and its nice tutorial .

Alternatively, you can use an authentication token.

Edit: you can check the input in the backend to make sure no injections have been made.

+3


source






More articles:


All Articles