From 805b16c84b447c5f6f4aa4261f2ee7f4ef32de75 Mon Sep 17 00:00:00 2001
From: Sean Madsen <sean@seanmadsen.com>
Date: Fri, 4 Aug 2017 15:31:14 -0600
Subject: [PATCH] Add security note about AngularJS in Smarty

---
 docs/framework/angular/loader.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docs/framework/angular/loader.md b/docs/framework/angular/loader.md
index 3ba2473c..685a19c1 100644
--- a/docs/framework/angular/loader.md
+++ b/docs/framework/angular/loader.md
@@ -160,6 +160,24 @@ in the Smarty template:
 </div>
 ```
 
+!!! caution "Security note"
+
+    The [AngularJS Security Guide](https://docs.angularjs.org/guide/security) says:
+    
+    > Do not use user input to generate templates dynamically
+    
+    This means that if you put an `ng-app` element in a Smarty template as shown above, it's very important that you do not use Smarty to put any user input inside the `ng-app` element.
+    
+    For example, the following Smarty template would be a security risk:
+    
+    ```html
+    <div ng-app="crmCaseType">
+      <div ng-view="">{$untrustedData}</div>
+    </div>
+    ```
+    
+    because if the `$untrustedData` PHP variable contains a string like `{{1+2}}`, then AngularJS will execute `1+2` and open the door to XSS vulnerabilities. 
+
 Finally, flush the cache and visit the new page.
 
 ```
-- 
GitLab