|
|
|
|
|
|
by AgentME
3527 days ago
|
|
|
Some examples of issues with the old sandbox can be found here: http://www.slideshare.net/x00mario/an-abusive-relationship-w... The expression sandbox was not secure (and would be extremely difficult and heavily bloat the size of Angular to secure) and was not intended to be secure. It only blacklisted specific known attacks. As your link says, they removed it because people kept thinking it was a security feature they could rely on. Angular runs eval on the page DOM. This isn't secure when the page DOM is controlled by an attacker (such as a webpage trying to elevate into an extension's privileges). Angular 1.x is the wrong tool to use within page extensions. |
|
|