diff --git a/src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md b/src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md index 82042520e..313126373 100644 --- a/src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md +++ b/src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md @@ -1 +1,11 @@ -# Cross-site Scripting \ No newline at end of file +# Cross-site Scripting + +Cross-site scripting (XSS) enables attackers to inject malicious code into web pages. Such code can then, for example, steal user and login data, or perform actions that impersonate the user. +This has been one of the biggest web security vulnerabilities for over a decade. + +To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values. + +Visit the following resources to learn more: + +- [@official@Angular Official Docs - Preventing cross-site scripting (XSS)](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss) +- [@article@Mitigate cross-site scripting (XSS)](https://web.dev/articles/strict-csp) \ No newline at end of file diff --git a/src/data/roadmaps/angular/content/sanitization@cgI9oeUHufA-ky_W1zENe.md b/src/data/roadmaps/angular/content/sanitization@cgI9oeUHufA-ky_W1zENe.md index f99e8b75f..74f94fd3c 100644 --- a/src/data/roadmaps/angular/content/sanitization@cgI9oeUHufA-ky_W1zENe.md +++ b/src/data/roadmaps/angular/content/sanitization@cgI9oeUHufA-ky_W1zENe.md @@ -1 +1,13 @@ -# Sanitization \ No newline at end of file +# Sanitization + +Sanitization is the inspection of an untrusted value, turning it into a value that's safe to insert into the DOM. In many cases, sanitization doesn't change a value at all. Sanitization depends on context: A value that's harmless in CSS is potentially dangerous in a URL. + +Angular sanitizes untrusted values for HTML and URLs. Sanitizing resource URLs isn't possible because they contain arbitrary code. In development mode, Angular prints a console warning when it has to change a value during sanitization. + +Interpolated content is always escaped —the HTML isn't interpreted and the browser displays angle brackets in the element's text content. + +For the HTML to be interpreted, bind it to an HTML property such as `innerHTML`. Be aware that binding a value that an attacker might control into `innerHTML` normally causes an XSS vulnerability. + +Visit the following resources to learn more: + +- [@official@Angular Official Docs - Sanitization and security contexts](https://angular.dev/best-practices/security#sanitization-and-security-contexts) diff --git a/src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md b/src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md index f76df344c..2e28b0ec2 100644 --- a/src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md +++ b/src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md @@ -1 +1,8 @@ -# Security \ No newline at end of file +# Security + +This topic describes Angular's built-in protections against common web-application vulnerabilities and attacks such as cross-site scripting attacks. It doesn't cover application-level security, such as authentication and authorization. + +Visit the following resources to learn more: + +- [@official@Angular Official Docs - Security](https://angular.dev/best-practices/security) +- [@official@Open Web Application Security Project (OWASP)](https://owasp.org/) diff --git a/src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md b/src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md index 76f7284dc..a8617cc4c 100644 --- a/src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md +++ b/src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md @@ -1 +1,7 @@ -# Trusting Safe Values \ No newline at end of file +# Trusting Safe Values + +Sometimes applications genuinely need to include executable code, display an `