cargdev/angular
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add an HTML sanitizer.

Browse Source 
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
This commit is contained in:
Martin Probst
2016-04-30 19:02:05 -07:00
parent df1b1f6957
commit f86edae9f3
7 changed files with 442 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
View File

@ -1,7 +1,11 @@
import {Injectable} from '@angular/core';
import {SecurityContext, SanitizationService} from '../../core_private';
import {sanitizeHtml} from './html_sanitizer';
import {sanitizeUrl} from './url_sanitizer';
import {sanitizeStyle} from './style_sanitizer';
import {SecurityContext, SanitizationService} from '../../core_private';
import {Injectable} from '@angular/core';
export {SecurityContext};
/** Marker interface for a value that's safe to use in a particular context. */
@ -103,7 +107,7 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
case SecurityContext.HTML:
if (value instanceof SafeHtmlImpl) return value.changingThisBreaksApplicationSecurity;
this.checkNotSafeValue(value, 'HTML');
return this.sanitizeHtml(String(value));
return sanitizeHtml(String(value));
case SecurityContext.STYLE:
if (value instanceof SafeStyleImpl) return value.changingThisBreaksApplicationSecurity;
this.checkNotSafeValue(value, 'Style');
@ -133,11 +137,6 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
}
}
private sanitizeHtml(value: string): string {
// TODO(martinprobst): implement.
return value;
}
bypassSecurityTrustHtml(value: string): SafeHtml { return new SafeHtmlImpl(value); }
bypassSecurityTrustStyle(value: string): SafeStyle { return new SafeStyleImpl(value); }
bypassSecurityTrustScript(value: string): SafeScript { return new SafeScriptImpl(value); }