feat: security implementation in Angular 2.
Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds *Safe Value*s, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: *** SECURITY WARNING *** Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. *** SECURITY WARNING *** Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103
This commit is contained in:
Martin Probst
@ -1,3 +1,4 @@
|
||||
import {SanitizationService} from '../security';
|
||||
import {isBlank, isPresent, looseIdentical} from '../../src/facade/lang';
|
||||
import {ListWrapper, StringMapWrapper} from '../../src/facade/collection';
|
||||
import {BaseException} from '../../src/facade/exceptions';
|
||||
@ -12,9 +13,14 @@ import {uninitialized} from "../change_detection/change_detection_util";
|
||||
|
||||
@Injectable()
|
||||
export class ViewUtils {
|
||||
sanitizer: SanitizationService;
|
||||
private _nextCompTypeId: number = 0;
|
||||
|
||||
constructor(private _renderer: RootRenderer, @Inject(APP_ID) private _appId: string) {}
|
||||
constructor(
|
||||
private _renderer: RootRenderer, @Inject(APP_ID) private _appId: string,
|
||||
sanitizer: SanitizationService) {
|
||||
this.sanitizer = sanitizer;
|
||||
}
|
||||
|
||||
/**
|
||||
* Used by the generated code
|
||||
|
||||
23
modules/@angular/core/src/security.ts
Normal file
23
modules/@angular/core/src/security.ts
Normal file
@ -0,0 +1,23 @@
|
||||
/**
|
||||
* A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property
|
||||
* like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
|
||||
* handled.
|
||||
*
|
||||
* See DomSanitizationService for more details on security in Angular applications.
|
||||
*/
|
||||
export enum SecurityContext {
|
||||
NONE,
|
||||
HTML,
|
||||
STYLE,
|
||||
SCRIPT,
|
||||
URL,
|
||||
RESOURCE_URL,
|
||||
}
|
||||
|
||||
/**
|
||||
* SanitizationService is used by the views to sanitize potentially dangerous values. This is a
|
||||
* private API, use code should only refer to DomSanitizationService.
|
||||
*/
|
||||
export abstract class SanitizationService {
|
||||
abstract sanitize(context: SecurityContext, value: string): string;
|
||||
}
|
||||
Reference in New Issue
Block a user