发表新帖
发表新帖

angularjs + cross-site scripting preventing

前端 未结
关注
2 703
遇见更好的自我
遇见更好的自我 2020-12-14 08:29

Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with n

相关标签:
2条回答
  • 渐次进展
    2020-12-14 08:51

    Look at here : http://docs.angularjs.org/api/ngSanitize/service/$sanitize

    If you want escape use ng-bind, it ll render the tag without interpretation like that :

    Hello <b>World</b> not like Hello World !

    Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.

    If you want that your HTML tags be interpreted but safely just use ng-bind-html !

    For example if you want to display this string : 

    'Hello <b>World</b><input type="text" />'

    The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.

    Maybe ng-bind-html is what you're looking for.

    If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !

    http://docs.angularjs.org/api/ng/directive/input

    It takes a regex for allowed characters in your input !

    Hope it helps !

    0 讨论(0)
  • 不思量自难忘°
    2020-12-14 09:05

    I don't believe that AngularJS has default whitelist input validation, which is what your test exercises. So a user can pretty much input anything they like. This is not surprising - whitelists are very domain specific, and Angular is a framework designed for a wide range of domains.

    The main defense against XSS is to properly encode all untrusted data (see https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)). This, Angular does by default.

    Bottom line is that AngularJS is intended to be secure from XSS by default, no special action required. You can verify some basic scenarios by trying to output what you input into a view using the normal {{scopevariable}} notation.

    I did find a detailed analysis of AngularJS XSS vulnerability: https://code.google.com/p/mustache-security/wiki/AngularJS. At the end of the comments, there is a link to a google doc with further discussion and response from the angular team.

    0 讨论(0)
 看不清?
提交回复
热议问题