cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: security implementation in Angular 2.

Browse Source 
Summary:
This adds basic security hooks to Angular 2.

* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).

Based on these hooks:

* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).

`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).

BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***

Reviewers: IgorMinar

Differential Revision: https://reviews.angular.io/D103
This commit is contained in:
Martin Probst
2016-04-29 16:04:08 -07:00
parent dd6e0cf1b5
commit 908a102a87
24 changed files with 590 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
modules/@angular/compiler/test/schema/dom_element_schema_registry_spec.ts
View File

@ -11,11 +11,12 @@ import {
} from '@angular/core/testing/testing_internal';
import {DomElementSchemaRegistry} from '@angular/compiler/src/schema/dom_element_schema_registry';
import {SecurityContext} from '../../core_private';
import {extractSchema} from './schema_extractor';
export function main() {
describe('DOMElementSchema', () => {
var registry: DomElementSchemaRegistry;
let registry: DomElementSchemaRegistry;
beforeEach(() => { registry = new DomElementSchemaRegistry(); });
it('should detect properties on regular elements', () => {
@ -33,21 +34,20 @@ export function main() {
expect(registry.hasProperty('div', 'unknown')).toBeFalsy();
});
it('should detect different kinds of types',
() => {
// inheritance: video => media => *
expect(registry.hasProperty('video', 'className')).toBeTruthy(); // from *
expect(registry.hasProperty('video', 'id')).toBeTruthy(); // string
expect(registry.hasProperty('video', 'scrollLeft')).toBeTruthy(); // number
expect(registry.hasProperty('video', 'height')).toBeTruthy(); // number
expect(registry.hasProperty('video', 'autoplay')).toBeTruthy(); // boolean
expect(registry.hasProperty('video', 'classList')).toBeTruthy(); // object
// from *; but events are not properties
expect(registry.hasProperty('video', 'click')).toBeFalsy();
})
it('should detect different kinds of types', () => {
// inheritance: video => media => *
expect(registry.hasProperty('video', 'className')).toBeTruthy(); // from *
expect(registry.hasProperty('video', 'id')).toBeTruthy(); // string
expect(registry.hasProperty('video', 'scrollLeft')).toBeTruthy(); // number
expect(registry.hasProperty('video', 'height')).toBeTruthy(); // number
expect(registry.hasProperty('video', 'autoplay')).toBeTruthy(); // boolean
expect(registry.hasProperty('video', 'classList')).toBeTruthy(); // object
// from *; but events are not properties
expect(registry.hasProperty('video', 'click')).toBeFalsy();
});
it('should return true for custom-like elements',
() => { expect(registry.hasProperty('custom-like', 'unknown')).toBeTruthy(); });
it('should return true for custom-like elements',
() => { expect(registry.hasProperty('custom-like', 'unknown')).toBeTruthy(); });
it('should re-map property names that are specified in DOM facade',
() => { expect(registry.getMappedPropName('readonly')).toEqual('readOnly'); });
@ -57,6 +57,10 @@ export function main() {
expect(registry.getMappedPropName('exotic-unknown')).toEqual('exotic-unknown');
});
it('should return security contexts for elements', () => {
expect(registry.securityContext('a', 'href')).toBe(SecurityContext.URL);
});
it('should detect properties on namespaced elements',
() => { expect(registry.hasProperty('@svg:g', 'id')).toBeTruthy(); });