EVOLUTION-MANAGER
Edit File: security.html
<a href='https://github.com/angular/angular.js/edit/v1.3.x/docs/content/guide/security.ngdoc?message=docs(guide%2FSecurity)%3A%20describe%20your%20change...' class='improve-docs btn btn-primary'><i class="glyphicon glyphicon-edit"> </i>Improve this Doc</a> <h1 id="security">Security</h1> <p>This document explains some of AngularJS's security features and best practices that you should keep in mind as you build your application.</p> <h2 id="expression-sandboxing">Expression Sandboxing</h2> <p>AngularJS's expressions are sandboxed not for security reasons, but instead to maintain a proper separation of application responsibilities. For example, access to <code>window</code> is disallowed because it makes it easy to introduce brittle global state into your application.</p> <p>However, this sandbox is not intended to stop attackers who can edit the template before it's processed by Angular. It may be possible to run arbitrary JavaScript inside double-curly bindings if an attacker can modify them.</p> <p>But if an attacker can change arbitrary HTML templates, there's nothing stopping them from doing:</p> <pre><code class="lang-html"><script>somethingEvil();</script> </code></pre> <p>It's better to design your application in such a way that users cannot change client-side templates. For instance:</p> <ul> <li>Do not mix client and server templates</li> <li>Do not use user input to generate templates dynamically</li> <li>Do not run user input through <code>$scope.$eval</code></li> <li>Consider using <a href="api/ng/directive/ngCsp">CSP</a> (but don't rely only on CSP)</li> </ul> <h2 id="mixing-client-side-and-server-side-templates">Mixing client-side and server-side templates</h2> <p>In general, we recommend against this because it can create unintended XSS vectors.</p> <p>However, it's ok to mix server-side templating in the bootstrap template (<code>index.html</code>) as long as user input cannot be used on the server to output html that would then be processed by Angular in a way that would cause allow for arbitrary code execution.</p> <p>For instance, you can use server-side templating to dynamically generate CSS, URLs, etc, but not for generating templates that are bootstrapped/compiled by Angular.</p> <h2 id="reporting-a-security-issue">Reporting a security issue</h2> <p>Email us at <a href="mailto:security@angularjs.org">security@angularjs.org</a> to report any potential security issues in AngularJS.</p> <p>Please keep in mind the above points about Angular's expression language.</p> <h2 id="see-also">See also</h2> <ul> <li><a href="api/ng/directive/ngCsp">Content Security Policy</a></li> <li><a href="api/ng/service/$sce">Strict Contextual Escaping</a></li> <li><a href="api/ngSanitize/service/$sanitize">$sanitize</a></li> </ul>