cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: security implementation in Angular 2.

Browse Source 
Summary:
This adds basic security hooks to Angular 2.

* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).

Based on these hooks:

* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).

`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).

BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***

Reviewers: IgorMinar

Differential Revision: https://reviews.angular.io/D103
This commit is contained in:
Martin Probst
2016-04-29 16:04:08 -07:00
parent dd6e0cf1b5
commit 908a102a87
24 changed files with 590 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/@angular/core/private_export.ts
View File

@ -1,4 +1,5 @@
import * as constants from './src/change_detection/constants';
import * as security from './src/security';
import * as reflective_provider from './src/di/reflective_provider';
import * as lifecycle_hooks from './src/metadata/lifecycle_hooks';
import * as reflector_reader from './src/reflection/reflector_reader';
@ -52,6 +53,10 @@ export declare namespace __core_private_types__ {
export var ValueUnwrapper: typeof change_detection_util.ValueUnwrapper;
export type RenderDebugInfo = api.RenderDebugInfo;
export var RenderDebugInfo: typeof api.RenderDebugInfo;
export var SecurityContext: typeof security.SecurityContext;
export type SecurityContext = security.SecurityContext;
export var SanitizationService: typeof security.SanitizationService;
export type SanitizationService = security.SanitizationService;
export type TemplateRef_<C> = template_ref.TemplateRef_<C>;
export var TemplateRef_: typeof template_ref.TemplateRef_;
export var wtfInit: typeof wtf_init.wtfInit;
@ -104,6 +109,8 @@ export var __core_private__ = {
uninitialized: change_detection_util.uninitialized,
ValueUnwrapper: change_detection_util.ValueUnwrapper,
RenderDebugInfo: api.RenderDebugInfo,
SecurityContext: security.SecurityContext,
SanitizationService: security.SanitizationService,
TemplateRef_: template_ref.TemplateRef_,
wtfInit: wtf_init.wtfInit,
ReflectionCapabilities: reflection_capabilities.ReflectionCapabilities,