From 7d4929918dace806d9165733f13899fa5d6c759c Mon Sep 17 00:00:00 2001
From: Bjarki <bjarki@google.com>
Date: Wed, 7 Oct 2020 00:04:32 +0000
Subject: [PATCH] fix(core): use Trusted Types policy in inert DOM builder
 (#39208)

When Angular is used in an environment that enforces Trusted Types, the
inert DOM builder raises a Trusted Types violation due to its use of
DOMParser and element.innerHTML with plain strings. Since it is only
used internally (in the HTML sanitizer and for i18n ICU parsing), we
update it to use Angular's Trusted Types policy to promote the provided
HTML to TrustedHTML.

PR Close #39208
---
 packages/core/src/sanitization/inert_body.ts | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/packages/core/src/sanitization/inert_body.ts b/packages/core/src/sanitization/inert_body.ts
index 0d7173f01a..d4aed03163 100644
--- a/packages/core/src/sanitization/inert_body.ts
+++ b/packages/core/src/sanitization/inert_body.ts
@@ -6,6 +6,8 @@
  * found in the LICENSE file at https://angular.io/license
  */
 
+import {trustedHTMLFromString} from '../util/security/trusted_types';
+
 /**
  * This helper is used to get hold of an inert tree of DOM elements containing dirty HTML
  * that needs sanitizing.
@@ -36,8 +38,9 @@ class DOMParserHelper implements InertBodyHelper {
     // in `html` from consuming the otherwise explicit `</body>` tag.
     html = '<body><remove></remove>' + html;
     try {
-      const body = new (window as any).DOMParser().parseFromString(html, 'text/html').body as
-          HTMLBodyElement;
+      const body = new window.DOMParser()
+                       .parseFromString(trustedHTMLFromString(html) as string, 'text/html')
+                       .body as HTMLBodyElement;
       body.removeChild(body.firstChild!);
       return body;
     } catch {
@@ -71,7 +74,7 @@ class InertDocumentHelper implements InertBodyHelper {
     // Prefer using <template> element if supported.
     const templateEl = this.inertDocument.createElement('template');
     if ('content' in templateEl) {
-      templateEl.innerHTML = html;
+      templateEl.innerHTML = trustedHTMLFromString(html) as string;
       return templateEl;
     }
 
@@ -83,7 +86,7 @@ class InertDocumentHelper implements InertBodyHelper {
     // down the line. This has been worked around by creating a new inert `body` and using it as
     // the root node in which we insert the HTML.
     const inertBody = this.inertDocument.createElement('body');
-    inertBody.innerHTML = html;
+    inertBody.innerHTML = trustedHTMLFromString(html) as string;
 
     // Support: IE 9-11 only
     // strip custom-namespaced attributes on IE<=11
@@ -129,7 +132,8 @@ class InertDocumentHelper implements InertBodyHelper {
  */
 export function isDOMParserAvailable() {
   try {
-    return !!new (window as any).DOMParser().parseFromString('', 'text/html');
+    return !!new window.DOMParser().parseFromString(
+        trustedHTMLFromString('') as string, 'text/html');
   } catch {
     return false;
   }