honeymoose/angular-cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular-cn/aio/dist/generated/docs/guide/security.json

5 lines
29 KiB
JSON
Raw Normal View History

shred and watch build tooling ( dgeni, gulp, jade)
2015-08-03 17:45:58 -07:00
{
"id": "guide/security",
"title": "Security",
"contents": "\n\n\n<div class=\"github-links\">\n <a href=\"https://github.com/angular/angular/edit/master/aio/content/guide/security.md?message=docs%3A%20describe%20your%20change...\" aria-label=\"Suggest Edits\" title=\"Suggest Edits\"><i class=\"material-icons\" aria-hidden=\"true\" role=\"img\">mode_edit</i></a>\n</div>\n\n\n<div class=\"content\">\n <h1 id=\"security\">Security<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#security\"><i class=\"material-icons\">link</i></a></h1>\n<p>This topic describes Angular's built-in\nprotections against common web-application vulnerabilities and attacks such as cross-site\nscripting attacks. It doesn't cover application-level security, such as authentication and authorization.</p>\n<p>For more information about the attacks and mitigations described below, see <a href=\"https://www.owasp.org/index.php/Category:OWASP_Guide_Project\">OWASP Guide Project</a>.</p>\n<p>You can run the <live-example></live-example> in Stackblitz and download the code from there.</p>\n<div class=\"callout is-important\">\n<a id=\"report-issues\"></a>\n<header>Reporting vulnerabilities</header>\n<p>To report vulnerabilities in Angular itself, email us at <a href=\"mailto:security@angular.io\">security@angular.io</a>.</p>\n<p>For more information about how Google handles security issues, see <a href=\"https://www.google.com/about/appsecurity/\">Google's security\nphilosophy</a>.</p>\n</div>\n<div class=\"callout is-helpful\">\n<a id=\"best-practices\"></a>\n<header>Best practices</header>\n<ul>\n<li>\n<p><strong>Keep current with the latest Angular library releases.</strong>\nWe regularly update the Angular libraries, and these updates may fix security defects discovered in\nprevious versions. Check the Angular <a href=\"https://github.com/angular/angular/blob/master/CHANGELOG.md\">change\nlog</a> for security-related updates.</p>\n</li>\n<li>\n<p><strong>Don't modify your copy of Angular.</strong>\nPrivate, customized versions of Angular tend to fall behind the current version and may not include\nimportant security fixes and enhancements. Instead, share your Angular improvements with the\ncommunity and make a pull request.</p>\n</li>\n<li>\n<p><strong>Avoid Angular APIs marked in the documentation as “<em>Security Risk</em>.”</strong>\nFor more information, see the <a href=\"guide/security#bypass-security-apis\">Trusting safe values</a> section of this page.</p>\n</li>\n</ul>\n</div>\n<h2 id=\"preventing-cross-site-scripting-xss\">Preventing cross-site scripting (XSS)<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#preventing-cross-site-scripting-xss\"><i class=\"material-icons\">link</i></a></h2>\n<p><a href=\"https://en.wikipedia.org/wiki/Cross-site_scripting\">Cross-site scripting (XSS)</a> enables attackers\nto inject malicious code into web pages. Such code can then, for example, steal user data (in\nparticular, login data) or perform actions to impersonate the user. This is one of the most\ncommon attacks on the web.</p>\n<p>To block XSS attacks, you must prevent malicious code from entering the DOM (Document Object Model). For example, if\nattackers can trick you into inserting a <code>&#x3C;script></code> tag in the DOM, they can run arbitrary code on\nyour website. The attack isn't limited to <code>&#x3C;script></code> tags—many elements and properties in the\nDOM allow code execution, for example, <code>&#x3C;img onerror=\"...\"></code> and <code>&#x3C;a href=\"javascript:...\"></code>. If\nattacker-controlled data enters the DOM, expect security vulnerabilities.</p>\n<h3 id=\"angulars-cross-site-scripting-security-model\">Angulars cross-site scripting security model<a title=\"Link to this heading\" class=\"header-link\" aria-hidden=\"true\" href=\"guide/security#angulars-cross-site-scripting-security-model\"><i class=\"material-icons\">link</i></a></h3>\n<p>To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DO
}
Reference in New Issue Copy Permalink