Use of SCE bypass
What does this mean ?
The Angular SCE service may be turned off globally using the $sceProvider.enabled() method in the controller's config block, or per instance using the $sce.trustAs methods. However, when untrusted data is bound as HTML, the application becomes vulnerable to cross-site scripting (XSS) attacks.
What can happen ?
- Avoid using the ng-bind-html-unsafe directive
- Avoid naively trusting user input by using the Strict Contextual Escaping suite of methods such as $sce.trustAsHtml (value)