Security

Best Practices

• To systematically block XSS bugs, Angular treats all values as untrusted by default.

• Values inserted into the DOM are sanitized and escaped.

  • You can manually sanitize untrusted values with DomDanitizer.sanitize.

• Always use AOT Ahead-of-Time template compiler in production deployments.

Bypass Security

• To mark values as truted, inject DomSanitizer

constructor(private sanitizer: DomSanitizer) {
    // javascript: URLs are dangerous if attacker controlled.
    // Angular sanitizes them in data binding, but you can
    // explicitly tell Angular to trust this value:
    this.dangerousUrl = 'javascript:alert("Hi there")';
    this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
}