I got that angular2 could render in server side(even I don't know what's the benefit), and I really see an example of angular2 server side.
Angular 2 Universal Starter
But it seems angular2 official doesn't suggest this.
Server side XSS protection from angular2 doc
HTML constructed on the server is vulnerable to injection attacks. Injecting template code into an Angular application is the same as injecting executable code into the application; it gives the attacker full control over the application. To prevent this, make sure to use a templating language that automatically escapes values to prevent XSS vulnerabilities on the server. Do not generate Angular templates on the server side using a templating language, this carries a high risk of introducing template injection vulnerabilities.
How to understand it?
XSS can be caused by user-provided data added to the DOM.
This is not what server-side rendering is about. Server-side rendering is about executing your Angular2 application on the server, caching the result and sending the resulting DOM to the client, so that the client has less initialization work to do and can do the initial render in shorter time.
This can cause user-provided data to be added to the DOM if your Angular2 application code is doing this.
Angular2 does sanitize added HTML to prevent XSS also when rendered on the server. If you prevent this by marking a string as safe using
DomSanitizationService then you again become susceptible to XSS attacks.