angular-cn/modules/@angular/core/src/security.ts

/**
 * @license
 * Copyright Google Inc. All Rights Reserved.
 *
 * Use of this source code is governed by an MIT-style license that can be
 * found in the LICENSE file at https://angular.io/license
 */

/**
 * A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property
 * like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
 * handled.
 *
 * See DomSanitizer for more details on security in Angular applications.
 *
 * @stable
 */
export enum SecurityContext {
  NONE,
  HTML,
  STYLE,
  SCRIPT,
  URL,
  RESOURCE_URL,
}

/**
 * Sanitizer is used by the views to sanitize potentially dangerous values.
 *
 * @stable
 */
export abstract class Sanitizer {
  abstract sanitize(context: SecurityContext, value: string): string;
}
chore(lint): Added license headers to most TypeScript files Relates to #9380 2016-06-23 09:47:54 -07:00			`/**`
			`* @license`
			`* Copyright Google Inc. All Rights Reserved.`
			`*`
			`* Use of this source code is governed by an MIT-style license that can be`
			`* found in the LICENSE file at https://angular.io/license`
			`*/`

feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`/**`
			`* A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property`
			* like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
			`* handled.`
			`*`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`* See DomSanitizer for more details on security in Angular applications.`
fix: public api surface fixes + stability markers - ts-api-guardian will now error if a new public symbol is added with a stability marker (`@stable`, `@experimental`, `@deprecated`) - DomEventsPlugin and KeyEventsPlugin were removed from public api surface - these classes is an implementation detail - deprecated BROWSER_PROVIDERS was removed completely - `@angular/compiler` was removed from the ts-api-guardian check since this package shouldn't contain anything that users need to directly import - the rest of the api surface was conservatively marked as stable or experimental BREAKING CHANGES: DomEventsPlugin and KeyEventsPlugin previously exported from core are no longer public - these classes are implementation detail. Previously deprecated BROWSER_PROVIDERS was completely removed from platform-browser. Closes #9236 Closes #9235 Ref #9234 2016-06-27 12:27:23 -07:00			`*`
			`* @stable`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`*/`
			`export enum SecurityContext {`
			`NONE,`
			`HTML,`
			`STYLE,`
			`SCRIPT,`
			`URL,`
			`RESOURCE_URL,`
			`}`

			`/**`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`* Sanitizer is used by the views to sanitize potentially dangerous values.`
fix: public api surface fixes + stability markers - ts-api-guardian will now error if a new public symbol is added with a stability marker (`@stable`, `@experimental`, `@deprecated`) - DomEventsPlugin and KeyEventsPlugin were removed from public api surface - these classes is an implementation detail - deprecated BROWSER_PROVIDERS was removed completely - `@angular/compiler` was removed from the ts-api-guardian check since this package shouldn't contain anything that users need to directly import - the rest of the api surface was conservatively marked as stable or experimental BREAKING CHANGES: DomEventsPlugin and KeyEventsPlugin previously exported from core are no longer public - these classes are implementation detail. Previously deprecated BROWSER_PROVIDERS was completely removed from platform-browser. Closes #9236 Closes #9235 Ref #9234 2016-06-27 12:27:23 -07:00			`*`
			`* @stable`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`*/`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`export abstract class Sanitizer {`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`abstract sanitize(context: SecurityContext, value: string): string;`
			`}`