简体繁体 English

那是否意味着angular2不建议在服务器端进行渲染

[英]Would that mean angular2 doesn't suggest rendering in server side

原文 2016-08-19 08:19:00 9 2 javascript/ angularjs/ angular

I got that angular2 could render in server side(even I don't know what's the benefit), and I really see an example of angular2 server side. 我知道angular2可以在服务器端渲染（即使我不知道有什么好处），我确实看到了angular2服务器端的示例。

Angular 2 Universal Starter Angular 2通用入门

But it seems angular2 official doesn't suggest this. 但是，angular2官方似乎并不建议这样做。

Server side XSS protection from angular2 doc 来自angular2 doc的 服务器端XSS保护

HTML constructed on the server is vulnerable to injection attacks. 服务器上构造的HTML容易受到注入攻击。 Injecting template code into an Angular application is the same as injecting executable code into the application; 将模板代码注入到Angular应用程序中与将可执行代码注入到应用程序中相同。 it gives the attacker full control over the application. 它使攻击者可以完全控制该应用程序。 To prevent this, make sure to use a templating language that automatically escapes values to prevent XSS vulnerabilities on the server. 为防止这种情况，请确保使用自动转义值的模板语言以防止服务器上的XSS漏洞。 Do not generate Angular templates on the server side using a templating language, this carries a high risk of introducing template injection vulnerabilities. 不要在服务器端使用模板语言生成Angular模板，这会带来引入模板注入漏洞的高风险。

How to understand it? 怎么理解呢？

2 个解决方案

XSS can be caused by user-provided data added to the DOM. XSS可能是由用户提供的数据添加到DOM引起的。

This is not what server-side rendering is about. 这不是服务器端渲染的目的。 Server-side rendering is about executing your Angular2 application on the server, caching the result and sending the resulting DOM to the client, so that the client has less initialization work to do and can do the initial render in shorter time. 服务器端渲染是关于在服务器上执行Angular2应用程序，缓存结果并将结果DOM发送给客户端，以便客户端进行的初始化工作更少，并且可以在更短的时间内完成初始渲染。

This can cause user-provided data to be added to the DOM if your Angular2 application code is doing this. 这可能会导致用户提供的数据，如果你的Angular2应用程序代码做这个被添加到DOM。 Angular2 does sanitize added HTML to prevent XSS also when rendered on the server. Angular2确实清除了添加的HTML，以防止在服务器上呈现时也发生XSS。 If you prevent this by marking a string as safe using DomSanitizationService then you again become susceptible to XSS attacks. 如果通过使用DomSanitizationService将字符串标记为安全字符串来防止这种情况，则您再次容易受到XSS攻击。

Do not generate Angular templates on the server side using a templating language, this carries a high risk of introducing template injection vulnerabilities. 不要在服务器端使用模板语言生成Angular模板，这会带来引入模板注入漏洞的高风险。

Relying on Angular 2 to sanitize HTML to prevent XSS is not enough. 仅仅依靠Angular 2清理HTML来防止XSS是不够的。 An adversary could inject Angular expressions, such as {{1==1}} , into the server side template. 对手可以将Angular表达式（例如{{1==1}} ）注入服务器端模板。 {{1==1}} may be a harmless example, but check out this exmaple where you can get a user's authentication token. {{1==1}}可能是一个无害的示例，但请查看此示例以获取用户的身份验证令牌。 This is why generating Angular templates on the server is dangerous. 这就是为什么在服务器上生成Angular模板很危险的原因。 You have to ensure that an adversary can't inject malicious Angular expressions. 您必须确保对手不能注入恶意的Angular表达式。