What are the risks of using bypassSecurityTrustHtml?

Using bypassSecurityTrustHtml disables Angular's built-in protection for that specific element, which can lead to XSS if the input hasn't been strictly validated on the server.

How does Angular automatically prevent XSS?

Angular treats all values as untrusted by default and automatically escapes data during interpolation and property binding to prevent malicious script execution.

How does a Content Security Policy (CSP) improve Angular security?

CSP provides a defense-in-depth layer by defining which resource origins (scripts, styles, images) are trusted, preventing the execution of unauthorized scripts even if an XSS vulnerability exists.

When is it appropriate to use DomSanitizer?

Use DomSanitizer when you must programmatically trust HTML, styles, or URLs that are otherwise blocked by Angular's default security, typically for trusted third-party content.

Angular XSS Prevention

Name: Angular XSS Prevention
Author: EhssanAtassi

byEhssanAtassi

セキュリティとテスト

Implements robust security patterns to protect Angular applications from Cross-Site Scripting (XSS) vulnerabilities.

概要

This skill provides Claude with deep domain expertise in Angular security, focusing on mitigating Cross-Site Scripting (XSS) through framework-native protections and industry best practices. It enables the identification of vulnerable code patterns like unsafe innerHTML usage and provides step-by-step implementation guides for DomSanitizer, Content Security Policies (CSP), and secure URL whitelisting. Use this skill to audit frontend code, refactor dangerous DOM manipulations, and establish a defense-in-depth strategy for modern web applications.

主な機能

Context-aware sanitization for HTML, Styles, and URLs
Automated detection of dangerous bypassSecurityTrust methods
Comprehensive Content Security Policy (CSP) configuration templates
Validation logic for safe file uploads and dynamic content
0 GitHub stars
Secure coding patterns for rendering user-generated Markdown

ユースケース

Implementing safe rendering for external API data and user biographies
Auditing legacy Angular projects for common XSS attack vectors
Configuring a secure Content Security Policy with nonces

概要

主な機能

Context-aware sanitization for HTML, Styles, and URLs
Automated detection of dangerous bypassSecurityTrust methods
Comprehensive Content Security Policy (CSP) configuration templates
Validation logic for safe file uploads and dynamic content
0 GitHub stars
Secure coding patterns for rendering user-generated Markdown

ユースケース

Implementing safe rendering for external API data and user biographies
Auditing legacy Angular projects for common XSS attack vectors
Configuring a secure Content Security Policy with nonces