Your question seems to have two parts.
Regarding $sanitize
when immediately displayed, not sure what this means, b/c you'll likely have ng-model
to capture the username.
Regarding sending a sanitized username / passwd from the client rather than doing it on the server, it's a reasonable question. Technically you could do either. IMO it's a matter of keeping user inputs clean at all times from the pov of your code. All inputs should be sanity checked at the earliest point. Critical pieces like credentials should have two layers of sanity, lest one inadvertently disappear. Or worse, an attack vector is discovered in one of your two (or more) sanity layers.
Recall a well-known ldap attack vector where a username reads like im-a-user)&&()
. The close parens followed by an and null is an exploit. Why have such strings floating around when they could be scrubbed at the point of input?