例如这个代码是危险的:
<div [innerHTML]="post.body"></div>
解决方法
这里写的是:
Interpolated content is always escaped—the HTML isn’t interpreted and the browser displays angle brackets in the element’s text content.
For the HTML to be interpreted,bind it to an HTML property such as innerHTML. But binding a value that an attacker might control into innerHTML normally causes an XSS vulnerability. For example,the code contained in a
<script>
tag is executed:
export class InnerHtmlBindingComponent {
// For example,a user/attacker-controlled value from a URL.
htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';
}Angular recognizes the value as unsafe and automatically sanitizes it,which removes the
<script>
tag but keeps safe content such as the text content of the<script>
tag and the<b>
element.
所以我想,是的,它是安全的.