288 lines
8.7 KiB
HTML
288 lines
8.7 KiB
HTML
<html lang="en"><head></head><body><form id="mainForm" method="post" action="http://plnkr.co/edit/?p=preview" target="_self"><input type="hidden" name="files[app/app.component.ts]" value="import { Component } from '@angular/core';
|
|
|
|
@Component({
|
|
selector: 'my-app',
|
|
template: `
|
|
<h1>Security</h1>
|
|
<inner-html-binding></inner-html-binding>
|
|
<bypass-security></bypass-security>
|
|
`
|
|
})
|
|
export class AppComponent {
|
|
}
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[app/app.module.ts]" value="import { NgModule } from '@angular/core';
|
|
import { BrowserModule } from '@angular/platform-browser';
|
|
|
|
import { AppComponent } from './app.component';
|
|
import { BypassSecurityComponent } from './bypass-security.component';
|
|
import { InnerHtmlBindingComponent } from './inner-html-binding.component';
|
|
|
|
@NgModule({
|
|
imports: [ BrowserModule ],
|
|
declarations: [
|
|
AppComponent,
|
|
BypassSecurityComponent,
|
|
InnerHtmlBindingComponent
|
|
],
|
|
bootstrap: [ AppComponent ]
|
|
})
|
|
export class AppModule { }
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[app/bypass-security.component.ts]" value="import { Component } from '@angular/core';
|
|
import { DomSanitizer, SafeResourceUrl, SafeUrl } from '@angular/platform-browser';
|
|
|
|
@Component({
|
|
selector: 'bypass-security',
|
|
moduleId: module.id,
|
|
templateUrl: './bypass-security.component.html',
|
|
})
|
|
export class BypassSecurityComponent {
|
|
dangerousUrl: string;
|
|
trustedUrl: SafeUrl;
|
|
dangerousVideoUrl: string;
|
|
videoUrl: SafeResourceUrl;
|
|
|
|
constructor(private sanitizer: DomSanitizer) {
|
|
// javascript: URLs are dangerous if attacker controlled.
|
|
// Angular sanitizes them in data binding, but you can
|
|
// explicitly tell Angular to trust this value:
|
|
this.dangerousUrl = 'javascript:alert("Hi there")';
|
|
this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
|
|
this.updateVideoUrl('PUBnlbjZFAI');
|
|
}
|
|
|
|
updateVideoUrl(id: string) {
|
|
// Appending an ID to a YouTube URL is safe.
|
|
// Always make sure to construct SafeValue objects as
|
|
// close as possible to the input data so
|
|
// that it's easier to check if the value is safe.
|
|
this.dangerousVideoUrl = 'https://www.youtube.com/embed/' + id;
|
|
this.videoUrl =
|
|
this.sanitizer.bypassSecurityTrustResourceUrl(this.dangerousVideoUrl);
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[app/inner-html-binding.component.ts]" value="import { Component } from '@angular/core';
|
|
|
|
@Component({
|
|
moduleId: module.id,
|
|
selector: 'inner-html-binding',
|
|
templateUrl: './inner-html-binding.component.html',
|
|
})
|
|
export class InnerHtmlBindingComponent {
|
|
// For example, a user/attacker-controlled value from a URL.
|
|
htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';
|
|
}
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[main.ts]" value="import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
|
|
import { AppModule } from './app/app.module';
|
|
|
|
platformBrowserDynamic().bootstrapModule(AppModule);
|
|
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[styles.css]" value="/* Master Styles */
|
|
h1 {
|
|
color: #369;
|
|
font-family: Arial, Helvetica, sans-serif;
|
|
font-size: 250%;
|
|
}
|
|
h2, h3 {
|
|
color: #444;
|
|
font-family: Arial, Helvetica, sans-serif;
|
|
font-weight: lighter;
|
|
}
|
|
body {
|
|
margin: 2em;
|
|
}
|
|
body, input[text], button {
|
|
color: #888;
|
|
font-family: Cambria, Georgia;
|
|
}
|
|
a {
|
|
cursor: pointer;
|
|
cursor: hand;
|
|
}
|
|
button {
|
|
font-family: Arial;
|
|
background-color: #eee;
|
|
border: none;
|
|
padding: 5px 10px;
|
|
border-radius: 4px;
|
|
cursor: pointer;
|
|
cursor: hand;
|
|
}
|
|
button:hover {
|
|
background-color: #cfd8dc;
|
|
}
|
|
button:disabled {
|
|
background-color: #eee;
|
|
color: #aaa;
|
|
cursor: auto;
|
|
}
|
|
|
|
/* Navigation link styles */
|
|
nav a {
|
|
padding: 5px 10px;
|
|
text-decoration: none;
|
|
margin-right: 10px;
|
|
margin-top: 10px;
|
|
display: inline-block;
|
|
background-color: #eee;
|
|
border-radius: 4px;
|
|
}
|
|
nav a:visited, a:link {
|
|
color: #607D8B;
|
|
}
|
|
nav a:hover {
|
|
color: #039be5;
|
|
background-color: #CFD8DC;
|
|
}
|
|
nav a.active {
|
|
color: #039be5;
|
|
}
|
|
|
|
/* items class */
|
|
.items {
|
|
margin: 0 0 2em 0;
|
|
list-style-type: none;
|
|
padding: 0;
|
|
width: 24em;
|
|
}
|
|
.items li {
|
|
cursor: pointer;
|
|
position: relative;
|
|
left: 0;
|
|
background-color: #EEE;
|
|
margin: .5em;
|
|
padding: .3em 0;
|
|
height: 1.6em;
|
|
border-radius: 4px;
|
|
}
|
|
.items li:hover {
|
|
color: #607D8B;
|
|
background-color: #DDD;
|
|
left: .1em;
|
|
}
|
|
.items li.selected {
|
|
background-color: #CFD8DC;
|
|
color: white;
|
|
}
|
|
.items li.selected:hover {
|
|
background-color: #BBD8DC;
|
|
}
|
|
.items .text {
|
|
position: relative;
|
|
top: -3px;
|
|
}
|
|
.items .badge {
|
|
display: inline-block;
|
|
font-size: small;
|
|
color: white;
|
|
padding: 0.8em 0.7em 0 0.7em;
|
|
background-color: #607D8B;
|
|
line-height: 1em;
|
|
position: relative;
|
|
left: -1px;
|
|
top: -4px;
|
|
height: 1.8em;
|
|
margin-right: .8em;
|
|
border-radius: 4px 0 0 4px;
|
|
}
|
|
/* everywhere else */
|
|
* {
|
|
font-family: Arial, Helvetica, sans-serif;
|
|
}
|
|
|
|
|
|
/*
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
*/"><input type="hidden" name="files[app/bypass-security.component.html]" value="<h3>Bypass Security Component</h3>
|
|
|
|
<h4>An untrusted URL:</h4>
|
|
<p><a class="e2e-dangerous-url" [href]="dangerousUrl">Click me</a></p>
|
|
<h4>A trusted URL:</h4>
|
|
<p><a class="e2e-trusted-url" [href]="trustedUrl">Click me</a></p>
|
|
|
|
<h4>Resource URL:</h4>
|
|
<p>Showing: {{dangerousVideoUrl}}</p>
|
|
<p>Trusted:</p>
|
|
<iframe class="e2e-iframe-trusted-src" width="640" height="390" [src]="videoUrl"></iframe>
|
|
<p>Untrusted:</p>
|
|
<iframe class="e2e-iframe-untrusted-src" width="640" height="390" [src]="dangerousVideoUrl"></iframe>
|
|
|
|
|
|
<!--
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
-->"><input type="hidden" name="files[app/inner-html-binding.component.html]" value="<h3>Binding innerHTML</h3>
|
|
<p>Bound value:</p>
|
|
<p class="e2e-inner-html-interpolated">{{htmlSnippet}}</p>
|
|
<p>Result of binding to innerHTML:</p>
|
|
<p class="e2e-inner-html-bound" [innerHTML]="htmlSnippet"></p>
|
|
|
|
|
|
<!--
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
-->"><input type="hidden" name="files[index.html]" value="<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Angular Content Security</title>
|
|
<script>document.write('<base href="' + document.location + '" />');</script>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="stylesheet" href="styles.css">
|
|
|
|
<!-- Polyfills -->
|
|
<script src="https://unpkg.com/core-js/client/shim.min.js"></script>
|
|
|
|
<script src="https://unpkg.com/zone.js@0.7.4?main=browser"></script>
|
|
<script src="https://unpkg.com/systemjs@0.19.39/dist/system.src.js"></script>
|
|
|
|
<script src="https://cdn.rawgit.com/angular/angular.io/b3c65a9/public/docs/_examples/_boilerplate/systemjs.config.web.js"></script>
|
|
<script>
|
|
System.import('main.js').catch(function(err){ console.error(err); });
|
|
</script>
|
|
</head>
|
|
|
|
<body>
|
|
<my-app>Loading...</my-app>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
<!--
|
|
Copyright 2016 Google Inc. All Rights Reserved.
|
|
Use of this source code is governed by an MIT-style license that
|
|
can be found in the LICENSE file at http://angular.io/license
|
|
-->"><input type="hidden" name="tags[0]" value="angular"><input type="hidden" name="tags[1]" value="example"><input type="hidden" name="tags[2]" value="security"><input type="hidden" name="private" value="true"><input type="hidden" name="description" value="Angular Example - Content Security"></form><script>document.getElementById("mainForm").submit();</script></body></html> |