1

I have recently started using Angular. I am normally used to purify any html that is stored in my database. My backend uses php I use HTMLpurifier to purify html. But when I use angular string binding html entities for example don't display correctly:

data = '<data'

//template string binding:
<div>{{data}}</div>

Output on website: &lt;data

So I saw in another question that I should use: [innerHTML]='data'
Display HTML special characters in Angular 2 bindings?

My question is: Is it necessary to purify my html at all? Since it seems like angular string binding does prevent XSS from happening. That would be nice since that will speed up the performance of my server because it doesn't have to purify the html.

Stan
  • 629
  • 7
  • 18
  • I think it's up to you. Yes angular will escape HTML characters by default, should you do it in your DB, maybe? – Liam Aug 12 '20 at 14:08
  • 1
    It depends on what you're trying to achieve. If you just want to stop XSS, `htmlspecialchars()` is better than HTML Purifier on the backend side - HTML Purifier is a tool you should use if you want to _allow_ some HTML to be displayed. I unfortunately can't judge the frontend side of this (hence a comment, not answer). I usually always recommend doing sanitising or escaping in the backend if you can, as frontend is so easy to manipulate, but whether that's a sensible advice depends so much on your software architecture as a whole that I'm not sure the generic advice will help here. Good luck! – pinkgothic Aug 13 '20 at 08:32
  • I have several fields in my custom cms that are just plain text. But I also have some input fields that are edited with a WYSIWYG editor (TinyMCE). So i assume that i should use HTML purifier for the WYSIWYG input combined with `[innerHTML]='data'`. And for the normal text input according to you, I should use `htmlspecialchars()` which means that Angular string binding shouldn't be used to prevent XSS right? – Stan Aug 13 '20 at 10:55

0 Answers0