From 06e8f374e5a9324647d16eb2279845183fc3c27c Mon Sep 17 00:00:00 2001 From: "Zhimin YE (Rex)" Date: Thu, 23 Jun 2016 14:32:12 +0100 Subject: [PATCH] draft translation of security.jade. --- public/docs/ts/latest/guide/security.jade | 177 +++++++++++++++++++++- 1 file changed, 176 insertions(+), 1 deletion(-) diff --git a/public/docs/ts/latest/guide/security.jade b/public/docs/ts/latest/guide/security.jade index bfefc79095..a28fc416ae 100644 --- a/public/docs/ts/latest/guide/security.jade +++ b/public/docs/ts/latest/guide/security.jade @@ -6,123 +6,223 @@ block includes Scripting Attacks. It does not cover application level security, such as authentication (_Who is this user?_) or authorization (_What can this user do?_). + Web应用程序的安全有很多方面。针对常见的漏洞和攻击,比如跨站脚本攻击,Angular提供了一些内建保护措施。本文将讨论这些内建保护措施。 + 但是本文不会覆盖应用程序级别的安全,比如用户认证(_这个用户是谁?_)和授权(_这个用户能做什么?_) + The [Open Web Application Security Project (OWASP)](https://www.owasp.org/index.php/Category:OWASP_Guide_Project) has further information on the attacks and mitigations described below. + [开放式Web应用程序安全项目(OWASP)](https://www.owasp.org/index.php/Category:OWASP_Guide_Project)有更多下面描述的关于攻击和防攻击的信息。 + .l-main-section :marked # Table Of Contents + # 目录 * [Reporting Vulnerabilities](#report-issues) + + * [漏洞报告](#report-issues) + * [Best Practices](#best-practices) + + * [最佳实践](#best-practices) + * [Preventing Cross-Site Scripting (XSS)](#xss) + + * [防止跨站脚本(XSS)](#xss) + * [Trusting Safe Values](#bypass-security-apis) + + * [信任安全值](#bypass-security-apis) + * [HTTP-level Vulnerabilities](#http) + + * [HTTP级别漏洞](#http) + * [Auditing Angular Applications](#code-review) + * [审计Angular应用程序](#code-review) + p Try the #[+liveExampleLink2()] of the code shown in this chapter. +p 运行#[+liveExampleLink2('在线例子')] .l-main-section h2#report-issues Reporting Vulnerabilities + +h2#report-issues 漏洞报告 + :marked Email us at [security@angular.io](mailto:security@angular.io) to report vulnerabilities in Angular itself. + 电邮我们:[security@angular.io](mailto:security@angular.io),报告Angular内在的漏洞。 + For further details on how Google handles security issues please refer to [Google's security philosophy](https://www.google.com/about/appsecurity/). + 参见[谷歌安全哲学](https://www.google.com/about/appsecurity/)获取更多关于谷歌如何处理安全问题的信息。 + .l-main-section h2#best-practices Best Practices + +h2#best-practices 最佳实践 + :marked * **Keep current with the latest Angular library releases.** We regularly update our Angular libraries and these updates may fix security defects discovered in previous version. Check the Angular [change log](https://github.com/angular/angular/blob/master/CHANGELOG.md) for security-related updates. - * **Don't modify your copy of Angular.** + * **及时更新Angular包到最新版本。** + 我们频繁的更新Angular包,这些更新可能会修复之前版本中发现的安全漏洞。查看Angular的[更新记录](https://github.com/angular/angular/blob/master/CHANGELOG.md),获取安全更新详情。 + + * **Don't modify your copy of Angular.** Private, customized versions of Angular tend to fall behind the current version and may neglect important security fixes and enhancements. Instead, share your Angular improvements with the community and make a pull request. + * **不要修改你的Angular副本** + 私有的,制定版本的Angular往往跟不上最新版本,可能会忽略重要的安全补丁和安全增强。取而代之,在社区共享你对Angular的改进并创建Pull Request。 + * **Avoid Angular APIs marked in the documentation as “[_Security Risk_](#bypass-security-apis)”.** + * **避免使用在文档中标记为“[_安全风险_](#bypass-security-apis)”的Angular API。** .l-main-section h2#xss Preventing Cross-Site Scripting (XSS) + +h2#xss 防止跨站脚本(XSS) :marked [Cross-Site Scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) enables attackers to inject malicious code into web pages. Such code can then for example steal user's data (in particular their login data), or perform actions impersonating the user. This is one of the most common attacks on the web. + [跨站脚本(XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting)允许攻击者将恶意代码注入到网页上。这样的代码可以偷取用户数据 + (特别是他们的登陆数据),也冒充用户执行操作。它是在Web上最常见的攻击方式之一。 + To block XSS attacks, we must prevent malicious code from entering the DOM. For example, if an attacker can trick us into inserting a `