Misleading concepts about sanitize in template syntax

[trotyl]

In the Content security part of Template Syntax chapter, there is the content:

<!--
  Angular generates warnings for these two lines as it sanitizes them
  WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
 -->
<p><span>"{{evilTitle}}" is the <i>interpolated</i> evil title.</span></p>
<p>"<span [innerHTML]="evilTitle"></span>" is the <i>property bound</i> evil title.</p>

It says that, Angular will generate warnings for these two lines. However, it actually just generate warning for the second line, nothing for the first line, an example is here in http://embed.plnkr.co/kS1vNt2hT7KfOtlKT2Qu/ . (Technically that's not wrong, but misleading enough)

And for the first line, there's actually nothing about sanitize, it's just because Angular does not use a string-based template, the structure and data have been separated all the time. So the interpolation environment is not HTML-awareness, using HTML there will be same as using HTML in an iOS Label, it's the natural result to show the text as-is, without any pre-processing.

Since the interpolation context is not HTML-aware at design level (Angular is platform-agnostic), it's not accurate to say it sanitize the HTML in this condition.

[ghost]

@trotyl , my head started spinning, whilst trying to understand this. May I ask: which action do you suggest?

[trotyl]

@lazaridis-com At least remove:

Angular generates warnings for these two lines as it sanitizes them

as Angular won't generate warning for one of them, it's a fact, not an opinion.