new entry for angularjs security part - user must not be able to change client side template

jvandemo / angularcodereview-com

Collection of free checklists you can use to perform a code review of your Angular application.

http://angularcodereview.com/

28 stars 6 forks source link

new entry for angularjs security part - user must not be able to change client side template #4

Closed anschnapp closed 7 years ago

anschnapp commented 7 years ago

Check if it's not possible for the user to change client side template

Do not mix client and server templates

Do not use user input to generate templates dynamically

Do not run user input through $scope.$eval (or any of the other expression parsing functions listed above)

Also don't allow user input for expressions used in

watches
eval/evalAsync
apply/applyAsync
$compile
$parse
interpolate
used in orderBy pipe

see: https://docs.angularjs.org/guide/security

jvandemo commented 7 years ago

@git2snap — Awesome, would you be interested in creating a PR for this? Thanks! 👍

anschnapp commented 7 years ago

Hi @jvandemo, happy that you like it! Sure I will make a PR for this.

jvandemo commented 7 years ago

@git2snap — Thank you, much appreciated!

anschnapp commented 7 years ago

Hi @jvandemo, i have added a PR some time ago. The build failed but for me it looks like the problem is not related to my changes (maybe some misconfiguration in the pipe?).

Please inform me if the issue is on my side.

jvandemo commented 7 years ago

@git2snap — The JSPM auth token had expired. I have updated it and now your changes have been deployed to the website.

Thanks again for your wonderful addition. Much appreciated! 🏆