I have following situation:
We have desktop application and web application with angularJS and Kendo UI jquery which both use same server REST API.
If user enters malicious code as string <script>alert("security breach")</script> through desktop application or manually through postman and API, this is saved to the database (we have cases where we have to allow such tags in db). When this is rendered on desktop, it is fine, but when I render Kendo UI tree list - script is rendered and executed. So, my tree list is displayed, and alert is executed.
I have ngSanitize turned on application wide, but it seems not to be working on kendo ui widgets used within (we combine jquery and angular approach for widgets).
Do you have any suggestions how to approach to this?