AngularJS 是否默认保护用户输入的 XSS 攻击?
[英]Is AngularJS protected to user's input XSS attacks by default?
问题描述
I have seen that when I am adding HTML or JS content to the DB and then print it with AngularJS, like this: {{theDataAddedToDB}} it ignores the HTML tags and then it is protected from XSS.
我已经看到,当我将 HTML 或 JS 内容添加到数据库,然后使用 AngularJS 打印它时,如下所示: {{theDataAddedToDB}}它会忽略 HTML 标签,然后它会受到 XSS 的保护。
Now that is nice to assume - but is it enough to be sure that my projects are XSS protected when I am using the AngularJS?现在假设很好 - 但是当我使用 AngularJS 时,是否足以确保我的项目受到 XSS 保护?
(I am talking about user input by itself, not about third party plugins or something else, just user inputs XSS). (我说的是用户输入本身,而不是第三方插件或其他东西,只是用户输入的 XSS)。
Thanks.谢谢。
1 个解决方案
解决方案1
2 已采纳 2017-12-26 10:38:50
By making use of $sceProvider and $SanitizeProvider we can avoid xss attacks in angularjs.通过使用 $sceProvider 和 $SanitizeProvider 我们可以避免 angularjs 中的 xss 攻击。
use these library as per angular js norm:按照 angular js 规范使用这些库:
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/angularjs/1.3.3/angular.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/angularjs/1.3.3/angular-sanitize.min.js"></script>
and then in script tag the code could be written like this:然后在脚本标签中,代码可以这样写:
<script type="text/javascript">
angular.module('HelloApp', ["ngSanitize"])
.controller('HelloCtrl', ['$scope', '$sce', function($scope, $sce){
$scope.name="";
$scope.processHtmlCode=function() {
$scope.helloMessage = "<h1>" + $scope.name + "</h1>";
$scope.trustedMessage = $sce.trustAsHtml( $scope.name );
}
}])
</script>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.