0 votes
in Angular by

What happens if you use script tag inside template?

1 Answer

0 votes
by
Angular recognizes the value as unsafe and automatically sanitizes it, which removes the script tag but keeps safe content such as the text content of the script tag. This way it eliminates the risk of script injection attacks. If you still use it then it will be ignored and a warning appears in the browser console.

Let's take an example of innerHtml property binding which causes XSS vulnerability,

export class InnerHtmlBindingComponent {

  // For example, a user/attacker-controlled value from a URL.

  htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';

}
...