cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): add an HTML sanitizer.

Browse Source 
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
This commit is contained in:
Martin Probst
2016-04-30 19:02:05 -07:00
parent df1b1f6957
commit f86edae9f3
7 changed files with 442 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
modules/@angular/platform-server/src/parse5_adapter.ts
View File

@ -165,6 +165,9 @@ export class Parse5DomAdapter extends DomAdapter {
preventDefault(evt) { evt.returnValue = false; }
isPrevented(evt): boolean { return isPresent(evt.returnValue) && !evt.returnValue; }
getInnerHTML(el): string { return serializer.serialize(this.templateAwareRoot(el)); }
getTemplateContent(el): Node {
return null; // no <template> support in parse5.
}
getOuterHTML(el): string {
serializer.html = '';
serializer._serializeElement(el);