# Angular Unsafe Security Context Bypass

- ID: angular-unsafe-pipe
- Severity: CRITICAL
- CWE: Cross-Site Scripting (XSS) (CWE-79)
- Languages: JavaScript, TypeScript

## Description

DomSanitizer.bypassSecurityTrust* methods completely disable XSS protection,
enabling script injection when used with any user-controllable data.

## Detection Message

DomSanitizer.{method} used without proper input validation. This completely disables XSS protection.

## Remediation

Validate with strict allowlists before using bypassSecurityTrust methods.

```typescript
const ALLOWED_DOMAINS = ['youtube.com', 'vimeo.com'];

embedVideo(urlString: string): SafeResourceUrl | null {
  const url = new URL(urlString);
  if (url.protocol !== 'https:') return null;
  if (!ALLOWED_DOMAINS.some(d => url.hostname.endsWith(d))) return null;
  return this.sanitizer.bypassSecurityTrustResourceUrl(urlString);
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-79/unsafe-pipe

## Documentation

[object Object]

## Related Rules

- **Angular Unsafe Property Binding** [HIGH]: 
- **Cross-Site Scripting (XSS) via Response** [HIGH]: 
- **Cross-Site Scripting (XSS) in Templates** [HIGH]: