正如它在
here中说的那样(在有角度的网站本身),看起来好像没有担心它因为有角度,自动识别不安全的值并消毒它们.
Interpolated content is always escaped—the HTML isn’t interpreted and the browser displays angle brackets in the element’s text content.
For the HTML to be interpreted,bind it to an HTML property such as innerHTML. But binding a value that an attacker might control into innerHTML normally causes an XSS vulnerability. For example,the code contained in a <script> tag is executed:
export class InnerHtmlBindingComponent {
// For example,a user/attacker-controlled value from a URL.
htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';
}
Angular recognizes the value as unsafe and automatically sanitizes it,which removes the <script> tag but keeps safe content such as the text content of the <script> tag and the <b> element.
所以我想,是的,它是安全的.
