angularjs防止XSS攻击

What's the best way to prevent XSS attacks in an angularjs app? I've used $sanitize before sending it to a rest service call and I'm still getting errors from our security team that the app isnt secure. The call is something along the lines of

http://somesite.com/search?dateFrom='%22()%26%25<acx><ScRiPt%20>prompt(961193)</ScRiPt>&dateTo=20141231&code=5900

But this is suppose to be a POST call. Im not sure why the security scan is still producing errors. Is this something that must be fixed server side? I have a validation in my input fields using directives to prevent users from inputting invalid characters like < , > etc. So I have no clue as to how the scan is producing those errors...

Heres a sample of what the scan response headers

By definition, XSS fixes are strictly referring to the output of insecure content.

AngularJS would output by default encoded HTML, so it won't be parsed - same goes for JS associated with it. So by default you should be covered.

Still, some AngularJS devs choose to use "ng-bind-html-unsafe" or manually making unsafe content via $sce. In this case, developers must be aware that they are 100% relying on the backend to provide good data.

Are you sure that the security team refers to XSS and not CSRF? Because CSRF has a totally different fix (see CSRF token exchange on google). If this is not the case, my gut says that they want encoded strings coming from client side (because they are too lazy to encode them themselves).

It turns out the server side did not sanitize inputted data. Even though I have validation set up, the security team uses an application that can call the POST ajax call without going through the web application..