How does Angular handle XSS or CSRF?

Question

How does Angular (2) handle XSS and CSRF. Does it even handle these attacks? If so, what do I have to do to use this protection? If not, do I have to handle all these attac

Answer 1

Angular2 provides built-in, enabled by default*, anti XSS and CSRF/XSRF protection.

The DomSanitizationService takes care of removing the dangerous bits in order to prevent an XSS attack.

The CookieXSRFStrategy class (within the XHRConnection class) takes care of preventing CSRF/XSRF attacks.

*Note that the CSRF/XSRF protection is enabled by default on the client but only works if the backend sets a cookie named XSRF-TOKEN with a random value when the user authenticates. For more information read up about the Cookie-to-Header Token pattern.

UPDATE: Official Angular2 security documentation: https://angular.io/docs/ts/latest/guide/security.html (Thanks to Martin Probst for the edit suggestion!).