I have an angular application with multiple sub apps, which were built in angular too. I host the main application and it has tabs in it. The sub applications get loaded inside the iframe of the main app.
When the security team tested it, they are saying the app is venerable to DOM injection. But as per Angular documentation, DOM injection is by default handled.
I am looking to see if there is anything else additional that needs to be done in order to prevent DOM injection.
As you said that you're using independent angular sub-applications, if your projects are on the latest angular version, I would suggest using module federation for building micro-frontends and integrating with the shell app. You can read more about this here. The iFrame is a little outdated and I went through this and stopped using the iFrames in my applications. Primarily iframes should be used to show static content. If you're still using iframes then you're not making use of the new features that Angular provides at all.
I do not have much information or background for this question but hopefully I can guide you in the right direction.
There are two possible concepts you can look into regarding DOM injection in Angular:
Both these solutions are for the purpose of protecting your site and DOM against XSS-attacks.
I hope this have helped you at least a bit. Feel free to answer if you need more help :) I am new here on StackOverflow and would love to help you more.
