This time, we dive straight into the modern Angular security best practices. By Liran Tal, Natalia Venditto.
The article centres around this list:
- The “Angular way” safeguards you from XSS
- Use innerHTML with caution
- Never use templates generated by concatenating user input
- Never use native DOM APIs to interact with HTML elements
- Avoid template engines on server-side templates
- Scan your Angular project for components which introduce security vulnerabilities
Angular, much like React and Vue.js, takes on a security-by-default approach in the way it handles string interpolation in the browser. By default, all data is treated as unsafe and untrusted, and hence all of these libraries, and other modern view libraries, follow the best practice of performing output encoding by default for any text in an HTML context.
If you’re looking for anything close to an Angular security scanner check Snyk (for free) out as a way to track your open source dependencies, get notified, and fix them as vulnerabilities get discovered. Good read!
[Read More]