0

For security reasons, Angular documentation clearly states to ...not use user input to generate templates dynamically. However, I want to do just that. I would like to allow users to use input fields to generate CSS freely and use it to create their own templates, which they could then download. I know $sanitize works to clean HTML, but I am not aware if there is anything that allows you to do this with CSS, that will protect the site from security vulnerabilities.

Is it possible?

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
1

You can preview user inputted templates with style tags. I've used $templateCache to load user html.

 $scope.loadTemplate=function(){
       var randomStringName=makeid();
       $scope.templVar=randomStringName;
       $templateCache.put(randomStringName,$scope.templ);
 }

HTML

  <div ng-include="templVar"></div>

enter image description here http://plnkr.co/edit/8HP7HWwMvlXYiusE9TGH?p=preview

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This is great! Thanks for the help. What aspect of it stops XSS or other potential hacks?
This is vulnerable to XSS, you can inject javascript if jquery is included.
How to deal with the negative security implications of this ? I am using jqLite.
Since you are using jqLite, i believe you should be ok. Take a look at this.. stackoverflow.com/questions/13876961/… .. To be safe scrub css as mentioned in the second answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.