angular-cn/public/docs/_examples/security/ts/app/bypass-security.component.ts

// #docplaster
// #docregion
import { Component } from '@angular/core';
import { DomSanitizationService, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';

@Component({
  selector: 'bypass-security',
  templateUrl: 'app/bypass-security.component.html',
})
export class BypassSecurityComponent {
  dangerousUrl: string;
  trustedUrl: SafeUrl;
  dangerousVideoUrl: string;
  videoUrl: SafeResourceUrl;

  // #docregion trust-url
  constructor(private sanitizer: DomSanitizationService) {
    // javascript: URLs are dangerous if attacker controlled.
    // Angular sanitizes them in data binding, but we can
    // explicitly tell Angular to trust this value:
    this.dangerousUrl = 'javascript:alert("Hi there")';
    this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
    // #enddocregion trust-url
    this.updateVideoUrl('PUBnlbjZFAI');
  }

  // #docregion trust-video-url
  updateVideoUrl(id: string) {
    // Appending an ID to a YouTube URL is safe.
    // Always make sure to construct SafeValue objects as
    // close as possible to the input data, so
    // that it's easier to check if the value is safe.
    this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;
    this.videoUrl =
        this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);
  }
  // #enddocregion trust-video-url
}
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// #docplaster`
			`// #docregion`
			`import { Component } from '@angular/core';`
			`import { DomSanitizationService, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';`

			`@Component({`
			`selector: 'bypass-security',`
			`templateUrl: 'app/bypass-security.component.html',`
			`})`
			`export class BypassSecurityComponent {`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`dangerousUrl: string;`
			`trustedUrl: SafeUrl;`
			`dangerousVideoUrl: string;`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`videoUrl: SafeResourceUrl;`

			`// #docregion trust-url`
			`constructor(private sanitizer: DomSanitizationService) {`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`// javascript: URLs are dangerous if attacker controlled.`
			`// Angular sanitizes them in data binding, but we can`
			`// explicitly tell Angular to trust this value:`
			`this.dangerousUrl = 'javascript:alert("Hi there")';`
			`this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// #enddocregion trust-url`
			`this.updateVideoUrl('PUBnlbjZFAI');`
			`}`

			`// #docregion trust-video-url`
			`updateVideoUrl(id: string) {`
			`// Appending an ID to a YouTube URL is safe.`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`// Always make sure to construct SafeValue objects as`
			`// close as possible to the input data, so`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// that it's easier to check if the value is safe.`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`this.videoUrl =`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`}`
			`// #enddocregion trust-video-url`
			`}`