block includes
  include ../_util-fns
:marked
  This section describes Angular's built-in
  protections against common web application vulnerabilities and attacks such as cross-site
  scripting attacks. It does not cover application-level security, such as authentication (_Who is
  this user?_) or authorization (_What can this user do?_).
  Web应用程序的安全涉及到很多方面。针对常见的漏洞和攻击,比如跨站脚本攻击,Angular提供了一些内置的保护措施。本章将讨论这些内置保护措施,但不会涉及应用级安全,比如用户认证(_这个用户是谁?_)和授权(_这个用户能做什么?_)。
  For more information about the attacks and mitigations described below, see [OWASP Guide Project](https://www.owasp.org/index.php/Category:OWASP_Guide_Project).
  要了解更多攻防信息,参见[开放式Web应用程序安全项目(OWASP)](https://www.owasp.org/index.php/Category:OWASP_Guide_Project)。
.l-main-section
:marked
  # Contents:
  # 目录
  * [Reporting vulnerabilities](#report-issues).
  * [举报漏洞](#report-issues)。
  * [Best practices](#best-practices).
  * [最佳实践](#best-practices)。
  * [Preventing cross-site scripting (XSS)](#xss).
  * [防范跨站脚本(XSS)攻击](#xss)。
  * [Trusting safe values](#bypass-security-apis).
  * [信任安全值](#bypass-security-apis)。
  * [HTTP-Level vulnerabilities](#http).
  * [HTTP级别的漏洞](#http)。
  * [Auditing Angular applications](#code-review).
  
  * [审计Angular应用程序](#code-review).
  Try the  of the code shown in this page.
  
  运行在线例子来试用本页的代码。
.l-main-section
h2#report-issues Reporting vulnerabilities
h2#report-issues 举报漏洞
:marked
  Email us at [security@angular.io](mailto:security@angular.io) to report vulnerabilities in
  Angular itself.
  给我们([security@angular.io](mailto:security@angular.io))发邮件,报告Angular本身的漏洞。
  For more information about how Google handles security issues, see [Google's security
  philosophy](https://www.google.com/about/appsecurity/).
  要了解关于“谷歌如何处理安全问题”的更多信息,参见[谷歌的安全哲学](https://www.google.com/about/appsecurity/)。
.l-main-section
h2#best-practices Best practices
h2#best-practices 最佳实践
:marked
  * **Keep current with the latest Angular library releases.**
  We regularly update our Angular libraries, and these updates may fix security defects discovered in
  previous versions. Check the Angular [change
  log](https://github.com/angular/angular/blob/master/CHANGELOG.md) for security-related updates.
  * **及时把Angular包更新到最新版本。**
  我们会频繁的更新Angular库,这些更新可能会修复之前版本中发现的安全漏洞。查看Angular的[更新记录](https://github.com/angular/angular/blob/master/CHANGELOG.md),了解与安全有关的更新。
  * **Don't modify your copy of Angular.**
  Private, customized versions of Angular tend to fall behind the current version and may not include
  important security fixes and enhancements. Instead, share your Angular improvements with the
  community and make a pull request.
  * **不要修改你的Angular副本。**
  私有的、定制版的Angular往往跟不上最新版本,这可能导致你忽略重要的安全修复与增强。反之,应该在社区共享你对Angular所做的改进并创建Pull Request。
  * **Avoid Angular APIs marked in the documentation as “[_Security Risk_](#bypass-security-apis).”**
  * **避免使用本文档中带“[_安全风险_](#bypass-security-apis)”标记的Angular API。**
.l-main-section
h2#xss Preventing cross-site scripting (XSS)
h2#xss 防范跨站脚本(XSS)攻击
:marked
  [Cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) enables attackers
  to inject malicious code into web pages. Such code can then, for example, steal user data (in
  particular, their login data) or perform actions impersonating the user. This is one of the most
  common attacks on the web.
  [跨站脚本(XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting)允许攻击者将恶意代码注入到页面中。这些代码可以偷取用户数据
  (特别是它们的登录数据),还可以冒充用户执行操作。它是Web上最常见的攻击方式之一。
  To block XSS attacks, you must prevent malicious code from entering the DOM(Document Object Model). For example, if an
  attacker can trick you into inserting a `