AngularJS is secure by default through automated sanitization and filtering of untrusted values that could cause vulnerabilities such as XSS. Strict Contextual Escaping (SCE) is an execution mode in AngularJS that provides this security mechanism.

Disabling SCE in an AngularJS application is strongly discouraged. It is even more discouraged to disable SCE in a library, since it is an application-wide setting.

Do not disable SCE.

The following example shows an AngularJS application that disables SCE in order to dynamically construct an HTML fragment, which is later inserted into the DOM through $scope.html.

This is problematic, since it disables SCE for the entire AngularJS application.

Instead, just mark the dynamically constructed HTML fragment as safe using $sce.trustAsHtml, before assigning it to $scope.html:

Please note that this example is for illustrative purposes only; use the AngularJS templating system to dynamically construct HTML when possible.

AngularJS Developer Guide: Strict Contextual Escaping

AngularJS Developer Guide: Can I disable SCE completely?.