angular-cn/public/docs/_examples/security/ts/app/bypass-security.component.ts

// #docplaster
// #docregion
import { Component } from '@angular/core';
import { DomSanitizationService, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';

@Component({
  selector: 'bypass-security',
  templateUrl: 'app/bypass-security.component.html',
})
export class BypassSecurityComponent {
  dangerousUrl: SafeUrl;
  videoUrl: SafeResourceUrl;

  // #docregion trust-url
  constructor(private sanitizer: DomSanitizationService) {
    // javascript: URLs are dangerous if attacker controlled. Angular sanitizes them in data
    // binding, but we can explicitly tell Angular to trust this value:
    this.dangerousUrl = sanitizer.bypassSecurityTrustUrl('javascript:alert("Hi there")');
    // #enddocregion trust-url
    this.updateVideoUrl('PUBnlbjZFAI');
  }

  // #docregion trust-video-url
  updateVideoUrl(id: string) {
    // Appending an ID to a YouTube URL is safe.
    // Always make sure to construct SafeValue objects as close as possible to the input data, so
    // that it's easier to check if the value is safe.
    this.videoUrl =
        this.sanitizer.bypassSecurityTrustResourceUrl('https://www.youtube.com/embed/' + id);
  }
  // #enddocregion trust-video-url
}
// #enddocregion
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// #docplaster`
			`// #docregion`
			`import { Component } from '@angular/core';`
			`import { DomSanitizationService, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';`

			`@Component({`
			`selector: 'bypass-security',`
			`templateUrl: 'app/bypass-security.component.html',`
			`})`
			`export class BypassSecurityComponent {`
			`dangerousUrl: SafeUrl;`
			`videoUrl: SafeResourceUrl;`

			`// #docregion trust-url`
			`constructor(private sanitizer: DomSanitizationService) {`
			`// javascript: URLs are dangerous if attacker controlled. Angular sanitizes them in data`
			`// binding, but we can explicitly tell Angular to trust this value:`
			`this.dangerousUrl = sanitizer.bypassSecurityTrustUrl('javascript:alert("Hi there")');`
			`// #enddocregion trust-url`
			`this.updateVideoUrl('PUBnlbjZFAI');`
			`}`

			`// #docregion trust-video-url`
			`updateVideoUrl(id: string) {`
			`// Appending an ID to a YouTube URL is safe.`
			`// Always make sure to construct SafeValue objects as close as possible to the input data, so`
			`// that it's easier to check if the value is safe.`
			`this.videoUrl =`
			`this.sanitizer.bypassSecurityTrustResourceUrl('https://www.youtube.com/embed/' + id);`
			`}`
			`// #enddocregion trust-video-url`
			`}`
			`// #enddocregion`