Expand Minimize

Don't disable SCE

Don't disable SCE in your application

CheckId NG1020101
TypeName DontDisableSce
Severity Error
Type AngularJS Module

Strict Contextual Escaping (SCE) is a mode in which AngularJS constrains bindings to only render trusted values. Its goal is to assist in writing code in a way that (a) is secure by default, and (b) makes auditing for security vulnerabilities such as XSS, clickjacking, etc. a lot easier. By default SCE is enabled and while you could disable it completely it is highly discouraged. With SCE disabled it will be hard for you to secure the application on your own or enable SCE at a later stage.

Bad practice

myApp.config(['$sceProvider', function ($sceProvider) {
  $sceProvider.enabled(false);
}]);

Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.