Add Angular security content (#6634)

* add security content

* Update src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md

* Update src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md

* Update src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md

---------

Co-authored-by: DrDreo <code@anderas-hahn.at>
Co-authored-by: Kamran Ahmed <kamranahmed.se@gmail.com>
pull/6659/head
Dr Dreo 3 months ago committed by GitHub
parent 3d71390126
commit 0b2119be50
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
  1. 10
      src/data/roadmaps/angular/content/cross-site-scripting@umUX4Hxk7srHlFR_Un-u7.md
  2. 12
      src/data/roadmaps/angular/content/sanitization@cgI9oeUHufA-ky_W1zENe.md
  3. 7
      src/data/roadmaps/angular/content/security@mm6c7GLQEwoQdAHdAYzGh.md
  4. 6
      src/data/roadmaps/angular/content/trusting-safe-values@XoYSuv1salCCHoI1cJkxv.md

@ -1 +1,11 @@
# Cross-site Scripting
Cross-site scripting (XSS) enables attackers to inject malicious code into web pages. Such code can then, for example, steal user and login data, or perform actions that impersonate the user.
This has been one of the biggest web security vulnerabilities for over a decade.
To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template binding, or interpolation, Angular sanitizes and escapes untrusted values.
Visit the following resources to learn more:
- [@official@Angular Official Docs - Preventing cross-site scripting (XSS)](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss)
- [@article@Mitigate cross-site scripting (XSS)](https://web.dev/articles/strict-csp)

@ -1 +1,13 @@
# Sanitization
Sanitization is the inspection of an untrusted value, turning it into a value that's safe to insert into the DOM. In many cases, sanitization doesn't change a value at all. Sanitization depends on context: A value that's harmless in CSS is potentially dangerous in a URL.
Angular sanitizes untrusted values for HTML and URLs. Sanitizing resource URLs isn't possible because they contain arbitrary code. In development mode, Angular prints a console warning when it has to change a value during sanitization.
Interpolated content is always escaped —the HTML isn't interpreted and the browser displays angle brackets in the element's text content.
For the HTML to be interpreted, bind it to an HTML property such as `innerHTML`. Be aware that binding a value that an attacker might control into `innerHTML` normally causes an XSS vulnerability.
Visit the following resources to learn more:
- [@official@Angular Official Docs - Sanitization and security contexts](https://angular.dev/best-practices/security#sanitization-and-security-contexts)

@ -1 +1,8 @@
# Security
This topic describes Angular's built-in protections against common web-application vulnerabilities and attacks such as cross-site scripting attacks. It doesn't cover application-level security, such as authentication and authorization.
Visit the following resources to learn more:
- [@official@Angular Official Docs - Security](https://angular.dev/best-practices/security)
- [@official@Open Web Application Security Project (OWASP)](https://owasp.org/)

@ -1 +1,7 @@
# Trusting Safe Values
Sometimes applications genuinely need to include executable code, display an `<iframe>` from some URL, or construct potentially dangerous URLs. To prevent automatic sanitization in these situations, tell Angular that you inspected a value, checked how it was created, and made sure it is secure. Do be careful. If you trust a value that might be malicious, you are introducing a security vulnerability into your application. If in doubt, find a professional security reviewer.
Visit the following resources to learn more:
- [@official@Angular Official Docs - Trusting safe values](https://angular.dev/best-practices/security#trusting-safe-values)

Loading…
Cancel
Save