This document explains some of AngularJS's security features and best practices that you should keep in mind as you build your application.
AngularJS's expressions are sandboxed not for security reasons, but instead to maintain a proper separation of application responsibilities. For example, access to
window is disallowed because it makes it easy to introduce brittle global state into your application.
But if an attacker can change arbitrary HTML templates, there's nothing stopping them from doing:
It's better to design your application in such a way that users cannot change client-side templates. For instance:
In general, we recommend against this because it can create unintended XSS vectors.
However, it's ok to mix server-side templating in the bootstrap template (
index.html) as long as user input cannot be used on the server to output html that would then be processed by Angular in a way that would allow for arbitrary code execution.
For instance, you can use server-side templating to dynamically generate CSS, URLs, etc, but not for generating templates that are bootstrapped/compiled by Angular.
Email us at email@example.com to report any potential security issues in AngularJS.
Please keep in mind the above points about Angular's expression language.
© 2010–2016 Google, Inc.
Licensed under the Creative Commons Attribution License 4.0.