honeymoose
/
angular-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs(security): point users to docs when sanitization fails. (#9680)

This commit is contained in:
Martin Probst 2016-06-28 18:13:46 -07:00 committed by GitHub
parent e2116c53f3
commit 810c722413
4 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
View File

@ -175,15 +175,18 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
return value.changingThisBreaksApplicationSecurity;
}
this.checkNotSafeValue(value, 'ResourceURL');
throw new Error('unsafe value used in a resource URL context');
throw new Error(
'unsafe value used in a resource URL context (see http://g.co/ng/security#xss)');
default:
throw new Error(`Unexpected SecurityContext ${ctx}`);
throw new Error(`Unexpected SecurityContext ${ctx} (see http://g.co/ng/security#xss)`);
}
}
private checkNotSafeValue(value: any, expectedType: string) {
if (value instanceof SafeValueImpl) {
throw new Error(`Required a safe ${expectedType}, got a ${value.getTypeName()}`);
throw new Error(
`Required a safe ${expectedType}, got a ${value.getTypeName()} ` +
`(see http://g.co/ng/security#xss)`);
}
}
@ -204,7 +207,8 @@ abstract class SafeValueImpl implements SafeValue {
abstract getTypeName(): string;
toString() {
return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}`;
return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}` +
` (see http://g.co/ng/security#xss)`;
}
}

2
modules/@angular/platform-browser/src/security/html_sanitizer.ts
View File

@ -271,7 +271,7 @@ export function sanitizeHtml(unsafeHtmlInput: string): string {
}
if (isDevMode() && safeHtml !== unsafeHtmlInput) {
DOM.log('WARNING: sanitizing HTML stripped some content.');
DOM.log('WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).');
}
return safeHtml;

5
modules/@angular/platform-browser/src/security/style_sanitizer.ts
View File

@ -92,7 +92,10 @@ export function sanitizeStyle(value: string): string {
return value; // Safe style values.
}
if (isDevMode()) getDOM().log('WARNING: sanitizing unsafe style value ' + value);
if (isDevMode()) {
getDOM().log(
`WARNING: sanitizing unsafe style value ${value} (see http://g.co/ng/security#xss).`);
}
return 'unsafe';
}

4
modules/@angular/platform-browser/src/security/url_sanitizer.ts
View File

@ -50,7 +50,9 @@ export function sanitizeUrl(url: string): string {
url = String(url);
if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url;
if (isDevMode()) getDOM().log('WARNING: sanitizing unsafe URL value ' + url);
if (isDevMode()) {
getDOM().log(`WARNING: sanitizing unsafe URL value ${url} (see http://g.co/ng/security#xss)`);
}
return 'unsafe:' + url;
}