2

I am learning Angular and have a form that users can book a hotel. This posts to a 3rd party API.

I understand xss and ng-bind-html when the data is outputted back to the view but how do you strip a form or input box of malicious code before the form is sent to the API?

I know Laravel has a sanitize function that you can wrap in your model beforehand.

$sce and $sanitize from what I can see only deals with the view? Or does Angular handle this out of the box?

Improve this question
1
  • I think it's better to sanitize from server side. Not from client side. If you do not call the api directly from client side. Commented Feb 24, 2016 at 14:27

1 Answer 1

Reset to default
3

It's best if you sanitize both on the client and server.

  • Server side because: You can't trust a Javascript client that can be modified through the JS console of the browser. In addition someone can send a POST/PUT request mimicking your client using cURL.
  • Client side because: faster response and first line of defense allowing you to sanitize and value or warn about it without doing a lengthier round trip to the server. You should be including the ngSanitize module and the angular-sanitize.js script in order for value sanitazation to take place automatically.

https://docs.angularjs.org/api/ngSanitize https://www.google.com/about/appsecurity/learning/xss/#PreventingXSS

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.