1

What's the best way to prevent XSS attacks in an angularjs app? I've used $sanitize before sending it to a rest service call and I'm still getting errors from our security team that the app isnt secure. The call is something along the lines of 

http://somesite.com/search?dateFrom='%22()%26%25<acx><ScRiPt%20>prompt(961193)</ScRiPt>&dateTo=20141231&code=5900

But this is suppose to be a POST call. Im not sure why the security scan is still producing errors. Is this something that must be fixed server side? I have a validation in my input fields using directives to prevent users from inputting invalid characters like < , > etc. So I have no clue as to how the scan is producing those errors...

Heres a sample of what the scan response headers enter image description here

Improve this question
1
  • 1
    It may be a POST request but your security team may be upset because it's also sending a query string with a nested script tag in it. Commented Oct 6, 2015 at 20:35

2 Answers 2

Reset to default
4

By definition, XSS fixes are strictly referring to the output of insecure content.

AngularJS would output by default encoded HTML, so it won't be parsed - same goes for JS associated with it. So by default you should be covered.

Still, some AngularJS devs choose to use "ng-bind-html-unsafe" or manually making unsafe content via $sce. In this case, developers must be aware that they are 100% relying on the backend to provide good data.

Are you sure that the security team refers to XSS and not CSRF? Because CSRF has a totally different fix (see CSRF token exchange on google). If this is not the case, my gut says that they want encoded strings coming from client side (because they are too lazy to encode them themselves).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It turns out the server side did not sanitize inputted data. Even though I have validation set up, the security team uses an application that can call the POST ajax call without going through the web application..

Improve this answer

1 Comment

It's always the BE guys fault, no matter what. We should make print some wallpapers with this quote :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.