What bad can happen if I disable $sce service completely?
angular.module('app').config(function ($sceProvider) {
$sceProvider.enabled(false);
});
You should only disable SCE if you are 100% sure all application bindings (HTML, URL...) are safe. For example, if the application always sanitizes user inputs either on the server or client before rendering then the additional ceremony enforced by SCE may not be necessary.
However, it's very rare that you can be 100% positive that all values are safe, especially when the application grows large and is coded by many developers. Enabling SCE enforces that only values explicitly marked as trusted using one of the $sce.trustAsXXX
methods can be used by the application.
For example, if you use ngBindHtml
to render some HTML, AngularJS will throw an error unless the scope variable assigned to ngBindHtml
is wrapped with $sce.trustAsHtml
. Similar enforcement happens when you set templateUrl
of a route or directive. This makes the application more secure by failing fast, giving you a chance to audit the each place where the error occurs and decide whether to trust or fix it.
One final note, if you include ngSanitize
or implement a $sanitize
service, then you don't need to disable SCE to use untrusted HTML values as AngularJS will just sanitize the untrusted inputs using the $sanitize
service. Similarly, if a template URL shares the origin as the application, there's no need to explicitly wrap it.
Can I disable SCE completely?
Yes, you can. However, this is strongly discouraged. SCE gives you a lot of security benefits for little coding overhead. It will be much harder to take an SCE disabled application and either secure it on your own or enable SCE at a later stage. It might make sense to disable SCE for cases where you have a lot of existing code that was written before SCE was introduced and you're migrating them a module at a time.
(from documentation)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With