angular-cn/public/docs/_examples/security/ts/app/bypass-security.component.ts

// #docplaster
// #docregion
import { Component } from '@angular/core';
import { DomSanitizer, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';

@Component({
  selector: 'bypass-security',
  moduleId: module.id,
  templateUrl: 'bypass-security.component.html',
})
export class BypassSecurityComponent {
  dangerousUrl: string;
  trustedUrl: SafeUrl;
  dangerousVideoUrl: string;
  videoUrl: SafeResourceUrl;

  // #docregion trust-url
  constructor(private sanitizer: DomSanitizer) {
    // javascript: URLs are dangerous if attacker controlled.
    // Angular sanitizes them in data binding, but you can
    // explicitly tell Angular to trust this value:
    this.dangerousUrl = 'javascript:alert("Hi there")';
    this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
    // #enddocregion trust-url
    this.updateVideoUrl('PUBnlbjZFAI');
  }

  // #docregion trust-video-url
  updateVideoUrl(id: string) {
    // Appending an ID to a YouTube URL is safe.
    // Always make sure to construct SafeValue objects as
    // close as possible to the input data so
    // that it's easier to check if the value is safe.
    this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;
    this.videoUrl =
        this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);
  }
  // #enddocregion trust-video-url
}
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// #docplaster`
			`// #docregion`
			`import { Component } from '@angular/core';`
chore: update to rc6 (#2177) 2016-09-01 02:08:57 +01:00			`import { DomSanitizer, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00
			`@Component({`
			`selector: 'bypass-security',`
chore: convert templateUrls to use moduleId where possible. (#2477) 2016-09-25 18:51:54 -07:00			`moduleId: module.id,`
			`templateUrl: 'bypass-security.component.html',`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`})`
			`export class BypassSecurityComponent {`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`dangerousUrl: string;`
			`trustedUrl: SafeUrl;`
			`dangerousVideoUrl: string;`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`videoUrl: SafeResourceUrl;`

			`// #docregion trust-url`
chore: update to rc6 (#2177) 2016-09-01 02:08:57 +01:00			`constructor(private sanitizer: DomSanitizer) {`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`// javascript: URLs are dangerous if attacker controlled.`
Security Edits Combined (#2245) * Security Edits Combined * Security copy edits * Fix typo in security * fixing trailing whitespace 2016-09-14 12:11:53 -04:00			`// Angular sanitizes them in data binding, but you can`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`// explicitly tell Angular to trust this value:`
			`this.dangerousUrl = 'javascript:alert("Hi there")';`
			`this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// #enddocregion trust-url`
			`this.updateVideoUrl('PUBnlbjZFAI');`
			`}`

			`// #docregion trust-video-url`
			`updateVideoUrl(id: string) {`
			`// Appending an ID to a YouTube URL is safe.`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`// Always make sure to construct SafeValue objects as`
Security Edits Combined (#2245) * Security Edits Combined * Security copy edits * Fix typo in security * fixing trailing whitespace 2016-09-14 12:11:53 -04:00			`// close as possible to the input data so`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`// that it's easier to check if the value is safe.`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`this.videoUrl =`
docs(security): proofread prose, app now shows good and bad - App now shows how Angular handles untrusted URLs and resources - E2e test covered new functionality - Copyedits to prose - Updated provider expressions to use latest syntax The original security feature tracker: https://github.com/angular/angular/issues/8511 2016-06-30 07:21:55 -07:00			`this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);`
docs(security): Add security documentation. Substantially rewritten, based on original content by Brian Clarkio and Ward Bell and contributions from Naomi Black. 2016-06-20 23:34:14 -07:00			`}`
			`// #enddocregion trust-video-url`
			`}`