# Security # 安全 This page describes Angular's built-in protections against common web-application vulnerabilities and attacks such as cross-site scripting attacks. It doesn't cover application-level security, such as authentication (_Who is this user?_) and authorization (_What can this user do?_). Web应用程序的安全涉及到很多方面。针对常见的漏洞和攻击,比如跨站脚本攻击,Angular提供了一些内置的保护措施。本章将讨论这些内置保护措施,但不会涉及应用级安全,比如用户认证(_这个用户是谁?_)和授权(_这个用户能做什么?_)。 For more information about the attacks and mitigations described below, see [OWASP Guide Project](https://www.owasp.org/index.php/Category:OWASP_Guide_Project). 要了解更多攻防信息,参见[开放式Web应用程序安全项目(OWASP)](https://www.owasp.org/index.php/Category:OWASP_Guide_Project)。 You can run the in Stackblitz and download the code from there. 运行来试用本页的代码。

Reporting vulnerabilities

举报漏洞

To report vulnerabilities in Angular itself, email us at [security@angular.io](mailto:security@angular.io). 给我们([security@angular.io](mailto:security@angular.io))发邮件,报告Angular本身的漏洞。 For more information about how Google handles security issues, see [Google's security philosophy](https://www.google.com/about/appsecurity/). 要了解关于“谷歌如何处理安全问题”的更多信息,参见[谷歌的安全哲学](https://www.google.com/about/appsecurity/)。

Best practices

最佳实践

* **Keep current with the latest Angular library releases.** We regularly update the Angular libraries, and these updates may fix security defects discovered in previous versions. Check the Angular [change log](https://github.com/angular/angular/blob/master/CHANGELOG.md) for security-related updates. **及时把Angular包更新到最新版本。** 我们会频繁的更新Angular库,这些更新可能会修复之前版本中发现的安全漏洞。查看Angular的[更新记录](https://github.com/angular/angular/blob/master/CHANGELOG.md),了解与安全有关的更新。 * **Don't modify your copy of Angular.** Private, customized versions of Angular tend to fall behind the current version and may not include important security fixes and enhancements. Instead, share your Angular improvements with the community and make a pull request. **不要修改你的Angular副本。** 私有的、定制版的Angular往往跟不上最新版本,这可能导致你忽略重要的安全修复与增强。反之,应该在社区共享你对Angular所做的改进并创建Pull Request。 * **Avoid Angular APIs marked in the documentation as “_Security Risk_.”** For more information, see the [Trusting safe values](guide/security#bypass-security-apis) section of this page. **避免使用本文档中带“[_安全风险_](guide/security#bypass-security-apis)”标记的Angular API。** 要了解更多信息,请参阅本章的[信任那些安全的值](guide/security#bypass-security-apis)部分。

Preventing cross-site scripting (XSS)

防范跨站脚本(XSS)攻击

[Cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) enables attackers to inject malicious code into web pages. Such code can then, for example, steal user data (in particular, login data) or perform actions to impersonate the user. This is one of the most common attacks on the web. [跨站脚本(XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting)允许攻击者将恶意代码注入到页面中。这些代码可以偷取用户数据 (特别是它们的登录数据),还可以冒充用户执行操作。它是Web上最常见的攻击方式之一。 To block XSS attacks, you must prevent malicious code from entering the DOM (Document Object Model). For example, if attackers can trick you into inserting a `