Angular 2 Security Tracking Issue #8511
Description
Angular 2 should implement security features on-par with Angular 1. This is a tracking issue for all implementation work.
The basic idea is to implement automatic, secure escaping for all values that can reach the DOM by whitelisting known to be safe patterns, comparable to Angular 1's $sce service. By default, with no specific action for developers, Angular apps must be secure. To support all use cases, allow users to explicitly bypass security checks for specific values (sanitizer.bypassSecurityTrust...).
This follows the OWASP recommendations on XSS prevention.
- Basic security infrastructure:
SanitizationServiceand safe values (Security: Sanitization Service and Safe Value implementation #8387) - Security Contexts for HTML, Style, Script, URLs, Resource URLs (Security: Sanitization Service and Safe Value implementation #8387)
- Sanitize all values before they flow into DOM sinks (Security: Sanitization Service and Safe Value implementation #8387)
- Allow marking values as safe for particular (Security: Sanitization Service and Safe Value implementation #8387)
- Sanitize Style/CSS values (Security: Sanitization Service and Safe Value implementation #8387, feat(security): Add an HTML sanitizer #8453)
- More liberal Style sanitization (More liberal style sanitization #8514)
- Sanitize URL values (Security: Sanitization Service and Safe Value implementation #8387, feat(security): Add an HTML sanitizer #8453)
- Allow data: URIs for images and videos (feat(security): allow data: URLs for images and videos. #8661)
- Sanitize HTML values (feat(security): Add an HTML sanitizer #8453)
- Log sanitization in development mode (fix(SanitizationService): warn the user when sanitization prevents binding #8522)
- List all unsafe DOM properties (feat(security): fill in missing security contexts. #8479)
- Easy to use safe HTTP interactions
- Automatically strip XSSI prefixes (feat(security): strip XSSI prefix from XHR responses. #8497)
- Automatically send back XSRF cookies (feat(security): Automatic XSRF handling. #8898)
- Documentation
- Mention incomplete security implementation in release notes
- Document breaking changes for security (chore(security): document sanitization breaking change. #8510)
- Check implementation/API documentation
- Security section on Angular site