Add security note about AngularJS in Smarty

805b16c8 · Sean Madsen · c97326bb · 805b16c8
Commit 805b16c8 authored 7 years ago by Sean Madsen
--- a/docs/framework/angular/loader.md
+++ b/docs/framework/angular/loader.md
@@ -160,6 +160,24 @@ in the Smarty template:
 </div>
 ```

+!!! caution "Security note"
+
+    The [AngularJS Security Guide](https://docs.angularjs.org/guide/security) says:
+    
+    > Do not use user input to generate templates dynamically
+    
+    This means that if you put an `ng-app` element in a Smarty template as shown above, it's very important that you do not use Smarty to put any user input inside the `ng-app` element.
+    
+    For example, the following Smarty template would be a security risk:
+    
+    ```html
+    <div ng-app="crmCaseType">
+      <div ng-view="">{$untrustedData}</div>
+    </div>
+    ```
+    
+    because if the `$untrustedData` PHP variable contains a string like `{{1+2}}`, then AngularJS will execute `1+2` and open the door to XSS vulnerabilities. 
+
 Finally, flush the cache and visit the new page.

 ```