Security

Best Practices

To systematically block XSS bugs, Angular treats all values as untrusted by default.
Values inserted into the DOM are sanitized and escaped.
- You can manually sanitize untrusted values with DomDanitizer.sanitize.
Always use AOT Ahead-of-Time template compiler in production deployments.

Bypass Security

To mark values as truted, inject DomSanitizer

constructor(private sanitizer: DomSanitizer) {
    // javascript: URLs are dangerous if attacker controlled.
    // Angular sanitizes them in data binding, but you can
    // explicitly tell Angular to trust this value:
    this.dangerousUrl = 'javascript:alert("Hi there")';
    this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
}

PreviousOptimization & Performance

Last updated 8 months ago