Commit Graph

7 Commits

Author SHA1 Message Date
Martin Probst db66509e66 test(security): tests for HTML5 elements, srcset.
Part of #9572.
2016-06-27 12:19:03 -07:00
Julie Ralph 3d8eb8cbca fix(platform-browser/testing): clean up public api for platform-browser/testing (#9519)
Mostly, removing things that were never intended to be exported publicy.

BREAKING CHANGE:

The following are no longer publicly exported APIs. They were intended as internal
utilities and you should use your own util:

```
browserDetection,
dispatchEvent,
el,
normalizeCSS,
stringifyElement,
expect (and custom matchers for Jasmine)
```
2016-06-23 16:42:25 -07:00
Wojciech Kwiatek 98cef76931 fix(security): no warning when sanitizing escaped html (#9392) (#9413) 2016-06-23 13:06:19 -07:00
ScottSWu ae75e3640a chore(lint): Added license headers to most TypeScript files
Relates to #9380
2016-06-23 09:47:54 -07:00
Alex Eagle f39c9c9e75 style(lint): re-format modules/@angular 2016-06-09 17:00:15 -07:00
Martin Probst 3e68b7eb1f feat(security): warn users when sanitizing in dev mode.
This should help developers to figure out what's going on when the sanitizer
strips some input.

Fixes #8522.
2016-05-09 16:46:31 +02:00
Martin Probst f86edae9f3 feat(security): add an HTML sanitizer.
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
2016-05-09 16:00:24 +02:00