On my website I want to avoid these types of attacks, I need your help because I do not know how to mitigate html injections or other ways to change the html to make requests by dea.
It should be noted that the web service was created with php and I am consuming it with angular js. Should security go server-side?
Security should always go on the server side . If you also add checks in the client part (Javascript) better, but the server is the important one.
You can use the htmlentities() or htmlspecialchars() each time you return a text generated by the user (inserted by a user somewhere in the application). If the text is generated by you, and the user can not change it obviously does not need to escape.
We must also bear in mind that it is not necessary to do it in all fields. If they are numeric or very small fields (