You can enable AngularJS CSP support. More details here. Sample code below:
<!doctype html>
<html ng-app ng-csp>
...
...
</html>
ng-csp
forces you not use code that can be injected like eval
and Function
.
ng-sanitize from doc.
The input is sanitized by parsing the HTML into tokens. All safe
tokens (from a whitelist) are then serialized back to properly escaped
html string. This means that no unsafe input can make it into the
returned string, however, since our parser is more strict than a
typical browser parser, it's possible that some obscure input, which
would be recognized as valid HTML by a browser, won't make it through
the sanitizer. The input may also contain SVG markup. The whitelist is
configured using the functions aHrefSanitizationWhitelist
and
imgSrcSanitizationWhitelist
of $compileProvider
.
It simply you can not attach any peace of code using innerHTML.
For $sce, you can refer following links.
TrustasHTML and and its nice tutorial.
Apart from this, you can use auth token.
Edit: You can verify the input in backend to make sure no injection have been made.