honeymoose
/
angular-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(compiler): only promote Trusted Types to constants when necessary (#39554) 

Previously all constant values of security-sensitive attributes and
properties were promoted to Trusted Types. While this is not inherently
bad, it is also not optimal.

Use the newly added Trusted Types schema to restrict promotion to
constants that are in a Trusted Types-relevant context.

PR Close #39554
This commit is contained in:
Bjarki 2020-11-18 16:50:07 +00:00 committed by Andrew Kushnir
parent c8a99ef458
commit 4916870dff
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
packages/compiler/src/render3/view/template.ts
View File

@ -24,6 +24,7 @@ import {mapLiteral} from '../../output/map_util';
import * as o from '../../output/output_ast';
import {ParseError, ParseSourceSpan} from '../../parse_util';
import {DomElementSchemaRegistry} from '../../schema/dom_element_schema_registry';
import {isTrustedTypesSink} from '../../schema/trusted_types_sinks';
import {CssSelector, SelectorMatcher} from '../../selector';
import {BindingParser} from '../../template_parser/binding_parser';
import {error, partitionArray} from '../../util';
@ -2151,15 +2152,19 @@ export function resolveSanitizationFn(context: core.SecurityContext, isAttribute
function trustedConstAttribute(tagName: string, attr: t.TextAttribute): o.Expression {
const value = asLiteral(attr.value);
switch (elementRegistry.securityContext(tagName, attr.name, /* isAttribute */ true)) {
case core.SecurityContext.HTML:
return o.importExpr(R3.trustConstantHtml).callFn([value], attr.valueSpan);
case core.SecurityContext.SCRIPT:
return o.importExpr(R3.trustConstantScript).callFn([value], attr.valueSpan);
case core.SecurityContext.RESOURCE_URL:
return o.importExpr(R3.trustConstantResourceUrl).callFn([value], attr.valueSpan);
default:
return value;
if (isTrustedTypesSink(tagName, attr.name)) {
switch (elementRegistry.securityContext(tagName, attr.name, /* isAttribute */ true)) {
case core.SecurityContext.HTML:
return o.importExpr(R3.trustConstantHtml).callFn([value], attr.valueSpan);
case core.SecurityContext.SCRIPT:
return o.importExpr(R3.trustConstantScript).callFn([value], attr.valueSpan);
case core.SecurityContext.RESOURCE_URL:
return o.importExpr(R3.trustConstantResourceUrl).callFn([value], attr.valueSpan);
default:
return value;
}
} else {
return value;
}
}