Skip to content

Use of SCE bypass

What does this mean ?

The Angular SCE service may be turned off globally using the $sceProvider.enabled() method in the controller's config block, or per instance using the $sce.trustAs methods. However, when untrusted data is bound as HTML, the application becomes vulnerable to cross-site scripting (XSS) attacks.

What can happen ?

Specific input avoids pattern matching and results in a legitimate JavaScript statement, resulting in an XSS.


  • Avoid using the ng-bind-html-unsafe directive
  • Avoid naively trusting user input by using the Strict Contextual Escaping suite of methods such as $sce.trustAsHtml (value)

Sample Code

Vulnerable :

myApp.filter('stripDangerousHTML', function($sce) {
    return function(value) {
        let input = value
        input = input
        .replace(/javascript/g, '')
        .replace(/alert/g, '');
        return $sce.trustAsHtml(input);