angular-docs-cn/packages/core/src/sanitization/security.ts

/**
 * @license
 * Copyright Google Inc. All Rights Reserved.
 *
 * Use of this source code is governed by an MIT-style license that can be
 * found in the LICENSE file at https://angular.io/license
 */

/**
 * A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property
 * like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
 * handled.
 *
 * See DomSanitizer for more details on security in Angular applications.
 *
 * @publicApi
 */
export enum SecurityContext {
  NONE = 0,
  HTML = 1,
  STYLE = 2,
  SCRIPT = 3,
  URL = 4,
  RESOURCE_URL = 5,
}

/**
 * Sanitizer is used by the views to sanitize potentially dangerous values.
 *
 * @publicApi
 */
export abstract class Sanitizer {
  abstract sanitize(context: SecurityContext, value: {}|string|null): string|null;
}
chore(lint): Added license headers to most TypeScript files Relates to #9380 2016-06-23 09:47:54 -07:00			`/**`
			`* @license`
			`* Copyright Google Inc. All Rights Reserved.`
			`*`
			`* Use of this source code is governed by an MIT-style license that can be`
			`* found in the LICENSE file at https://angular.io/license`
			`*/`

feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`/**`
			`* A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property`
			* like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
			`* handled.`
			`*`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`* See DomSanitizer for more details on security in Angular applications.`
fix: public api surface fixes + stability markers - ts-api-guardian will now error if a new public symbol is added with a stability marker (`@stable`, `@experimental`, `@deprecated`) - DomEventsPlugin and KeyEventsPlugin were removed from public api surface - these classes is an implementation detail - deprecated BROWSER_PROVIDERS was removed completely - `@angular/compiler` was removed from the ts-api-guardian check since this package shouldn't contain anything that users need to directly import - the rest of the api surface was conservatively marked as stable or experimental BREAKING CHANGES: DomEventsPlugin and KeyEventsPlugin previously exported from core are no longer public - these classes are implementation detail. Previously deprecated BROWSER_PROVIDERS was completely removed from platform-browser. Closes #9236 Closes #9235 Ref #9234 2016-06-27 12:27:23 -07:00			`*`
docs: update core to use `@publicApi` tags (#26595) PR Close #26595 2018-10-19 16:27:04 +01:00			`* @publicApi`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`*/`
			`export enum SecurityContext {`
refactor(compiler): split compiler and core (#18683) After this, neither @angular/compiler nor @angular/comnpiler-cli depend on @angular/core. This add a duplication of some interfaces and enums which is stored in @angular/compiler/src/core.ts BREAKING CHANGE: - `@angular/platform-server` now additionally depends on `@angular/platform-browser-dynamic` as a peer dependency. PR Close #18683 2017-08-16 09:00:03 -07:00			`NONE = 0,`
			`HTML = 1,`
			`STYLE = 2,`
			`SCRIPT = 3,`
			`URL = 4,`
			`RESOURCE_URL = 5,`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`}`

			`/**`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`* Sanitizer is used by the views to sanitize potentially dangerous values.`
fix: public api surface fixes + stability markers - ts-api-guardian will now error if a new public symbol is added with a stability marker (`@stable`, `@experimental`, `@deprecated`) - DomEventsPlugin and KeyEventsPlugin were removed from public api surface - these classes is an implementation detail - deprecated BROWSER_PROVIDERS was removed completely - `@angular/compiler` was removed from the ts-api-guardian check since this package shouldn't contain anything that users need to directly import - the rest of the api surface was conservatively marked as stable or experimental BREAKING CHANGES: DomEventsPlugin and KeyEventsPlugin previously exported from core are no longer public - these classes are implementation detail. Previously deprecated BROWSER_PROVIDERS was completely removed from platform-browser. Closes #9236 Closes #9235 Ref #9234 2016-06-27 12:27:23 -07:00			`*`
docs: update core to use `@publicApi` tags (#26595) PR Close #26595 2018-10-19 16:27:04 +01:00			`* @publicApi`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`*/`
refactor: rename SanitizationService to Sanitizer and DomSanitizationService to DomSanitizer (#11085) BREAKING CHANGE: Previously inconsistently named APIs SanitizationService and DomSanitizationService were renamed to Sanitizer and DomSanitizer 2016-08-25 15:41:19 -07:00			`export abstract class Sanitizer {`
fix(platform-browser): Update types for TypeScript nullability support Closes #15898 2017-03-24 09:59:41 -07:00			`abstract sanitize(context: SecurityContext, value: {}\|string\|null): string\|null;`
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`}`