Angular detects the value as unsafe and sanitizes it automatically, removing the script tag but retaining safe material such as the script tag's text content. This reduces the potential of script injection attacks. If you continue to use it, it will be disregarded, and a warning will display in the browser console.
Example: Consider the case of innerHtml property binding, which results in an XSS vulnerability.
export class InnerHtmlBindingComponent {
// For example, a attacker-controlled value from a URL using malicious scripts.
htmlSnippet = 'Template <script>alert("You are hacked !!!!")</script> <b>Syntax</b>';
}
