angular-security-XSS

Demo for how Angular automatically applies XSS defenses

import { Component } from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser'

@Component({
  selector: 'app-root',
  template: `
    <h3>Angular automatically applies XSS defenses</h3>
    
    <input #i (input)="null"/>
    <br />
    {{i.value}}
    
    {{hack}}
        
    <div [innerHTML]="hack"></div>
    <a [href]="hackURL">untrusted URL</a>

    <!--div-- [innerHTML]="sanitizer.bypassSecurityTrustHtml(hack)"></!--div-->
  `,
})
export class AppComponent {
  hack = `<img src="a.png" onerror="alert(1)"/>`
  hackURL = `javascript:alert(1)`

  constructor(private sanitizer: DomSanitizer) { }
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

angular-security-XSS

Files

README.md

Latest commit

History

README.md

File metadata and controls

angular-security-XSS