Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

angularjs + cross-site scripting preventing

Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with ng-model...it didn't escape the Html tags.

I have lot of input element in our page, which binds with ng-model, what should I do to make sure if I input a html tags ,angular ignores the html/scrip tags.

ex.

<input id="name" ng-model="name"></input>

if I input as

'Hello, <b>World</b>!'

$scope.name contains the same what I entered ,didn't exclude the tags. i.e

  var val = $scope.name;
  console.log(val); 

prints as same

'Hello, <b>World</b>!'

Please let me know how to solve this in angularjs.

thank

like image 428
dav10 Avatar asked Apr 11 '14 08:04

dav10


People also ask

How does AngularJS prevent XSS?

To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values.

What prevents cross-site scripting?

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures: Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input. Encode data on output.

Can XSS occur in AngularJS?

XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.

Is Angular prone to XSS?

Another instance where XSS attacks can happen in Angular is when you use native web APIs to directly access the DOM elements. In this case, you might use ElementRef to access a DOM element in your application as shown below.


2 Answers

Look at here : http://docs.angularjs.org/api/ngSanitize/service/$sanitize

If you want escape use ng-bind, it ll render the tag without interpretation like that :

Hello <b>World</b> not like Hello World !

Do you understand ? so ng-bind is safe because it doesn't care about HTML tags.

If you want that your HTML tags be interpreted but safely just use ng-bind-html !

For example if you want to display this string :

'Hello <b>World</b><input type="text" />'

The result will be : Hello World but without the input because AngularJS compiler uses $sanitize service and check a whitelist of HTML elements and an iput is not authorized.

Maybe ng-bind-html is what you're looking for.

If you just want be sure that the user can't put html tags in your input just use the directive ng-pattern on your inputs !

http://docs.angularjs.org/api/ng/directive/input

It takes a regex for allowed characters in your input !

Hope it helps !

like image 178
Thomas Pons Avatar answered Oct 10 '22 19:10

Thomas Pons


I don't believe that AngularJS has default whitelist input validation, which is what your test exercises. So a user can pretty much input anything they like. This is not surprising - whitelists are very domain specific, and Angular is a framework designed for a wide range of domains.

The main defense against XSS is to properly encode all untrusted data (see https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)). This, Angular does by default.

Bottom line is that AngularJS is intended to be secure from XSS by default, no special action required. You can verify some basic scenarios by trying to output what you input into a view using the normal {{scopevariable}} notation.

I did find a detailed analysis of AngularJS XSS vulnerability: https://code.google.com/p/mustache-security/wiki/AngularJS. At the end of the comments, there is a link to a google doc with further discussion and response from the angular team.

like image 11
Steve Campbell Avatar answered Oct 10 '22 19:10

Steve Campbell