JavaScript

JavaScript

Made by DeepSource

Strict Contextual Escaping (SCE) is disabled in AngularJS JS-S1022

Security
Critical
a03 cwe-116 owasp top 10 angularjs cwe-707

Strict Contextual Escaping (SCE) is a security feature in AngularJS that helps protect against cross-site scripting (XSS) attacks. It is designed to prevent the injection of potentially dangerous content into web applications by escaping or sanitizing user-generated content. To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically run security checks on them (sanitizations, trusted URL resource, depending on context), or throw when it cannot guarantee the security of the result.

Disabling SCE will void your application of these security measures and hence is strongly discouraged.

Bad Practice

angular.module('myAppWithSceDisabled', []).config(function($sceProvider) {
  $sceProvider.enabled(false); // should not be set to `false`
});

Recommended

angular.module('myAppWithSceDisabledmyApp', []).config(function($sceProvider) {
  $sceProvider.enabled(true); // or do not set this at all since it is `true` by default
});

References