2

How do i securely use any query parameters that i receive? I have read about DOM sanitizing in Angular 4, but i can't find anything about securely using query parameters in angular 4.

Example:

https://www.myangularproject.com/?parameter1=value

I want to avoid that people inject there own code or scripts as value

Martijn van den Bergh
  • 1,434
  • 1
  • 20
  • 40

1 Answers1

1

Make sure that the parameter can be securely casted to the type of data that you expect it to be (if you expect a number, make sure '+queryParam' is not NaN, and so on), never use eval on data from the queryParams. You can be rest assured about putting queryParams values inside the DOM, as it is being sanitized by Angular before interpolating it to the view. This, I think, should do.

Armen Vardanyan
  • 3,214
  • 1
  • 13
  • 34
  • Thanks for the answer. So you are saying that i should escape it myself and that there is no automatic Angular sanitation for query parameters? This wasn't clear in the docs of Angular, hence the question – Martijn van den Bergh Dec 01 '17 at 11:15
  • There is no need in "sanitizing" it, just don't use `eval` on it and make sure to cast it to the expected type (because queryParams always emit strings). So essentially, yes, you do not have much work to do on this one – Armen Vardanyan Dec 01 '17 at 11:18