Does using angular-sanitize protect against Showdown XSS?

[canebat]

Showdown has an XSS bug: https://github.com/showdownjs/showdown/issues/57

Will including angular-sanitize as you have it in the README help prevent this?

[tivie]

You can't really prevent XSS attacks in showdown, before the input is fully parsed into HTML, because markdown provides a number of ways to inject a script that are very hard (or close to impossible) to detect my usual means.

So angular-sanitize should be used AFTER the HTML is processed. This prevents most of classic XSS attacks but does not prevent the defacing of your webpage (with images, for instance).

[JakobKallin]

Please note that the issue referenced is not about XSS - I just happened to discover it while writing about XSS. I have clarified this in the other issue's comment thread.