Skip to content Skip to sidebar Skip to footer
Home / Angularjs / Javascript / Xss

Ng-bind-html Doesn't Prevent Cross Site Scripting

Post a Comment
I used ng-bind-html in order to prevent cross site scripting, read about sanitize and found this discussion and another good discussion. Although, i did't work for me, can you plea

Solution 1:

First of all, it's not XSS on its own.

Second, $sce.trustAsHtml does exactly the opposite of what you thought - it, in fact, instructs Angular to "trust" that the HTML is safe - not to sanitize.

To sanitize, you need to add ngSanitize as a dependency to your app, and ng-bind-html directly to html_code (without to_trusted).

angular.module("myApp", ["ngSanitize"])
  .controller("MainCtrl", function($scope){
     $scope.html_code = '<img src="x" onerror="alert(\'cross\')">';
  });

And in the HTML:

<divng-bind-html="html_code"></div>

Solution 2:

After using Sanitize i change my code and used getTrustedHtml instead trustAsHtml, it runs the sanitize on controller.

$scope.to_trusted = function(html_code) {
    return$sce.getTrustedHtml(html_code);
};

And it solves my issue.

You may like these posts

Post a Comment for "Ng-bind-html Doesn't Prevent Cross Site Scripting"