AngularJS treats all the values as untrusted/ unsecured in HTML or sensitive URL bindings. AngularJS automatically runs security checks while binding untrusted values. It throws an error if it cannot guarantee the security of the result. This type of behavior depends on contexts: HTML can be sanitized, but template URLs cannot.
To illustrate this, consider the following directive
Ng-bind-html
It renders its value directly as HTML. When there is an untrusted input, AngularJS will try to sanitize it before rendering if a sanitizer is available. We will need to mark it as trusted to bypass sanitization and render the input.
In AngularJS, strict contextual escaping (SCE) is a security feature that helps prevent Cross-Site Scripting (XSS) attacks. XSS attacks occur when an application allows user input to be treated as HTML and executed in the browser, potentially leading to malicious code execution.
Strict contextual escaping in AngularJS involves the automatic sanitization of user-generated content before rendering it in the browser. This process ensures that any potentially harmful content is treated as plain text and not interpreted as executable code. AngularJS achieves this by associating a security context with each piece of data, and the data is then sanitized based on its context.
For example, AngularJS may treat user input differently if it is intended to be rendered as plain text, an HTML attribute, or HTML content within an element. By using strict contextual escaping, AngularJS helps developers build more secure web applications by reducing the risk of XSS vulnerabilities.