Build an app in Angular to demonstrate vulnerability with Strict Contextual Escaping disabled. This app should disable that, allowing you to perform and XSS attack on the site.
An XSS vulnerability is an injection vulnerability, where the attacker inserts a piece of malicious data into a web application. The maliciously injected data will be picked up by the browser, which interprets the data as code. This causes the injected payload from the attacker to be executed as legitimate application code, which gives the attacker full control over the application running in the user’s browser.

The code example below illustrates a textbook example of an XSS vulnerability and attack.

A DOM-XSS vulnerability in a jQuery application

<div id=messageContainer></div>
<script>
...
$(#messageContainer).append(myMessage);
...
</script>
A malicious message containing a JavaScript payload

Hello John!<script>alert(Let's play hide and seek!)</script>
If this data is inserted into the page, the browser executes the script in the message, triggering the alert dialog. The example here calls the alert() function, which is probably the least dangerous effect of an XSS attack. Make no mistake. In reality, attackers can steal sensitive data from the pages, capture user input to steal passwords or credit card information, and even send requests to servers as if the legitimate application itself sends them. Once an attacker succeeds in exploiting an XSS vulnerability, you should consider the application’s entire execution environment in the browser to be compromised.

The best defense against XSS attacks is to ensure that the browser will never see data as code. A common approach to achieve that is by applying context-sensitive output encoding. Context-sensitive output encoding will ensure that the data is encoded for the context where it ends up in the page. During the encoding, potentially dangerous characters are translated into harmless counterparts. Because of that translation, the browser will see these characters as data instead of code, which avoids the confusion and prevents the attack.

Below is an example of the effect of applying context-sensitive output encoding on data containing a malicious payload.

A malicious message containing a JavaScript payload, but properly encoded to avoid XSS

Hello John!&lt;script&gt;alert(Let's play hide and seek!)&lt;/script&gt;
As you can see, the browser is now instructed to render the &lt; and &gt; HTML codes, which display the < and > characters. Since this is clearly data, the browser will not confuse the data for code.
Modify the snippet you provided in order to avoid this kind of vulnerability, but provide one (a back end one) that allows the attacker to perform a stored XSS attack. Use either PHP or nodejs for the backend.