honeymoose
/
angular-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs(security): security api doc update and fix stability marker for Type

This commit is contained in:
Naomi Black 2016-06-28 11:01:35 -07:00
parent ae4fa56ee9
commit 9340e1b065
7 changed files with 42 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/@angular/compiler/src/runtime_compiler.ts
View File

@ -30,6 +30,10 @@ import {InterpretiveAppViewInstanceFactory} from './output/interpretive_view';
* An internal module of the Angular compiler that begins with component types, * An internal module of the Angular compiler that begins with component types,
* extracts templates, and eventually produces a compiled version of the component * extracts templates, and eventually produces a compiled version of the component
* ready for linking into an application. * ready for linking into an application.
*
* @security When compiling templates at runtime, you must ensure that the entire template comes
* from a trusted source. Attacker-controlled data introduced by a template could expose your
* application to XSS risks. For more detail, see the [Security Guide](http://g.co/ng/security).
*/ */
@Injectable() @Injectable()
export class RuntimeCompiler implements ComponentResolver, Compiler { export class RuntimeCompiler implements ComponentResolver, Compiler {

5
modules/@angular/compiler/src/url_resolver.ts
View File

@ -42,6 +42,11 @@ export var DEFAULT_PACKAGE_URL_PROVIDER = {
* ## Example * ## Example
* *
* {@example compiler/ts/url_resolver/url_resolver.ts region='url_resolver'} * {@example compiler/ts/url_resolver/url_resolver.ts region='url_resolver'}
*
* @security When compiling templates at runtime, you must
* ensure that the entire template comes from a trusted source.
* Attacker-controlled data introduced by a template could expose your
* application to XSS risks. For more detail, see the [Security Guide](http://g.co/ng/security).
*/ */
@Injectable() @Injectable()
export class UrlResolver { export class UrlResolver {

4
modules/@angular/core/src/linker/element_ref.ts
View File

@ -12,6 +12,10 @@
* An `ElementRef` is backed by a render-specific element. In the browser, this is usually a DOM * An `ElementRef` is backed by a render-specific element. In the browser, this is usually a DOM
* element. * element.
* *
* @security Permitting direct access to the DOM can make your application more vulnerable to
* XSS attacks. Carefully review any use of `ElementRef` in your code. For more detail, see the
* [Security Guide](http://g.co/ng/security).
*
* @stable * @stable
*/ */
// Note: We don't expose things like `Injector`, `ViewContainer`, ... here, // Note: We don't expose things like `Injector`, `ViewContainer`, ... here,

8
modules/@angular/facade/src/lang.ts
View File

@ -59,11 +59,6 @@ var _global: BrowserNodeGlobal = globalScope;
export {_global as global}; export {_global as global};
/**
* @stable
*/
export var Type = Function;
/** /**
* Runtime representation a type that a Component or other object is instances of. * Runtime representation a type that a Component or other object is instances of.
* *
@ -72,6 +67,9 @@ export var Type = Function;
* *
* @stable * @stable
*/ */
export var Type = Function;
export interface Type extends Function {} export interface Type extends Function {}
/** /**

8
modules/@angular/http/src/http.ts
View File

@ -202,6 +202,14 @@ export class Jsonp extends Http {
* a {@link Request} instance. If the first argument is a url, an optional {@link RequestOptions} * a {@link Request} instance. If the first argument is a url, an optional {@link RequestOptions}
* object can be provided as the 2nd argument. The options object will be merged with the values * object can be provided as the 2nd argument. The options object will be merged with the values
* of {@link BaseRequestOptions} before performing the request. * of {@link BaseRequestOptions} before performing the request.
*
* @security Regular XHR is the safest alternative to JSONP for most applications, and is
* supported by all current browsers. Because JSONP creates a `<script>` element with
* contents retrieved from a remote source, attacker-controlled data introduced by an untrusted
* source could expose your application to XSS risks. Data exposed by JSONP may also be
* readable by malicious third-party websites. In addition, JSONP introduces potential risk for
* future security issues (e.g. content sniffing). For more detail, see the
* [Security Guide](http://g.co/ng/security).
*/ */
request(url: string|Request, options?: RequestOptionsArgs): Observable<Response> { request(url: string|Request, options?: RequestOptionsArgs): Observable<Response> {
var responseObservable: any; var responseObservable: any;

3
modules/@angular/platform-browser/src/browser.ts
View File

@ -44,6 +44,9 @@ export const BROWSER_PLATFORM_PROVIDERS: Array<any /*Type | Provider | any[]*/>
]; ];
/** /**
* @security Replacing built-in sanitization providers exposes the application to XSS risks.
* Attacker-controlled data introduced by an unsanitized provider could expose your
* application to XSS risks. For more detail, see the [Security Guide](http://g.co/ng/security).
* @experimental * @experimental
*/ */
export const BROWSER_SANITIZATION_PROVIDERS: Array<any> = [ export const BROWSER_SANITIZATION_PROVIDERS: Array<any> = [

20
modules/@angular/platform-browser/src/security/dom_sanitization_service.ts
View File

@ -83,6 +83,11 @@ export interface SafeResourceUrl extends SafeValue {}
* does not start with a suspicious protocol, or an HTML snippet that does not contain dangerous * does not start with a suspicious protocol, or an HTML snippet that does not contain dangerous
* code. The sanitizer leaves safe values intact. * code. The sanitizer leaves safe values intact.
* *
* @security Calling any of the `bypassSecurityTrust...` APIs disables Angular's built-in
* sanitization for the value passed in. Carefully check and audit all values and code paths going
* into this call. Make sure any user data is appropriately escaped for this security context.
* For more detail, see the [Security Guide](http://g.co/ng/security).
*
* @stable * @stable
*/ */
export abstract class DomSanitizationService implements SanitizationService { export abstract class DomSanitizationService implements SanitizationService {
@ -101,21 +106,24 @@ export abstract class DomSanitizationService implements SanitizationService {
* is unsafe (e.g. contains `<script>` tags) and the code should be executed. The sanitizer will * is unsafe (e.g. contains `<script>` tags) and the code should be executed. The sanitizer will
* leave safe HTML intact, so in most situations this method should not be used. * leave safe HTML intact, so in most situations this method should not be used.
* *
* WARNING: calling this method with untrusted user data will cause severe security bugs! * **WARNING:** calling this method with untrusted user data exposes your application to XSS
* security risks!
*/ */
abstract bypassSecurityTrustHtml(value: string): SafeHtml; abstract bypassSecurityTrustHtml(value: string): SafeHtml;
/** /**
* Bypass security and trust the given value to be safe style value (CSS). * Bypass security and trust the given value to be safe style value (CSS).
* *
* WARNING: calling this method with untrusted user data will cause severe security bugs! * **WARNING:** calling this method with untrusted user data exposes your application to XSS
* security risks!
*/ */
abstract bypassSecurityTrustStyle(value: string): SafeStyle; abstract bypassSecurityTrustStyle(value: string): SafeStyle;
/** /**
* Bypass security and trust the given value to be safe JavaScript. * Bypass security and trust the given value to be safe JavaScript.
* *
* WARNING: calling this method with untrusted user data will cause severe security bugs! * **WARNING:** calling this method with untrusted user data exposes your application to XSS
* security risks!
*/ */
abstract bypassSecurityTrustScript(value: string): SafeScript; abstract bypassSecurityTrustScript(value: string): SafeScript;
@ -123,7 +131,8 @@ export abstract class DomSanitizationService implements SanitizationService {
* Bypass security and trust the given value to be a safe style URL, i.e. a value that can be used * Bypass security and trust the given value to be a safe style URL, i.e. a value that can be used
* in hyperlinks or `<img src>`. * in hyperlinks or `<img src>`.
* *
* WARNING: calling this method with untrusted user data will cause severe security bugs! * **WARNING:** calling this method with untrusted user data exposes your application to XSS
* security risks!
*/ */
abstract bypassSecurityTrustUrl(value: string): SafeUrl; abstract bypassSecurityTrustUrl(value: string): SafeUrl;
@ -131,7 +140,8 @@ export abstract class DomSanitizationService implements SanitizationService {
* Bypass security and trust the given value to be a safe resource URL, i.e. a location that may * Bypass security and trust the given value to be a safe resource URL, i.e. a location that may
* be used to load executable code from, like `<script src>`, or `<iframe src>`. * be used to load executable code from, like `<script src>`, or `<iframe src>`.
* *
* WARNING: calling this method with untrusted user data will cause severe security bugs! * **WARNING:** calling this method with untrusted user data exposes your application to XSS
* security risks!
*/ */
abstract bypassSecurityTrustResourceUrl(value: string): SafeResourceUrl; abstract bypassSecurityTrustResourceUrl(value: string): SafeResourceUrl;
} }