angularjs + cross-site scripting preventing

Question

Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with n

Answer 1

Look at here : http://docs.angularjs.org/api/ngSanitize/service/$sanitize

If you want escape use ng-bind, it ll render the tag without interpretation like that :

Hello World not like Hello World !

Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.

If you want that your HTML tags be interpreted but safely just use ng-bind-html !

For example if you want to display this string :

'Hello World'

The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.

Maybe ng-bind-html is what you're looking for.

If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !

http://docs.angularjs.org/api/ng/directive/input

It takes a regex for allowed characters in your input !

Hope it helps !