2016-05-09 16:46:31 +02:00
|
|
|
import {getDOM} from '../dom/dom_adapter';
|
|
|
|
import {assertionsEnabled} from '../../src/facade/lang';
|
|
|
|
|
feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
platform-browser. `SecurityContext` communicates what context a value is used
in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
determines the security context for an attribute or property (it turns out
attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
Value*s, i.e. the ability to mark a value as safe and not requiring further
sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
(surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
2016-04-29 16:04:08 -07:00
|
|
|
/**
|
|
|
|
* Regular expression for safe style values.
|
|
|
|
*
|
|
|
|
* Quotes (" and ') are allowed, but a check must be done elsewhere to ensure
|
|
|
|
* they're balanced.
|
|
|
|
*
|
|
|
|
* ',' allows multiple values to be assigned to the same property
|
|
|
|
* (e.g. background-attachment or font-family) and hence could allow
|
|
|
|
* multiple values to get injected, but that should pose no risk of XSS.
|
|
|
|
*
|
|
|
|
* The rgb() and rgba() expression checks only for XSS safety, not for CSS
|
|
|
|
* validity.
|
|
|
|
*
|
|
|
|
* This regular expression was taken from the Closure sanitization library.
|
|
|
|
*/
|
|
|
|
const SAFE_STYLE_VALUE = /^([-,."'%_!# a-zA-Z0-9]+|(?:rgb|hsl)a?\([0-9.%, ]+\))$/;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks that quotes (" and ') are properly balanced inside a string. Assumes
|
|
|
|
* that neither escape (\) nor any other character that could result in
|
|
|
|
* breaking out of a string parsing context are allowed;
|
|
|
|
* see http://www.w3.org/TR/css3-syntax/#string-token-diagram.
|
|
|
|
*
|
|
|
|
* This code was taken from the Closure sanitization library.
|
|
|
|
*/
|
|
|
|
function hasBalancedQuotes(value: string) {
|
|
|
|
let outsideSingle = true;
|
|
|
|
let outsideDouble = true;
|
|
|
|
for (let i = 0; i < value.length; i++) {
|
|
|
|
let c = value.charAt(i);
|
|
|
|
if (c === '\'' && outsideDouble) {
|
|
|
|
outsideSingle = !outsideSingle;
|
|
|
|
} else if (c === '"' && outsideSingle) {
|
|
|
|
outsideDouble = !outsideDouble;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return outsideSingle && outsideDouble;
|
|
|
|
}
|
|
|
|
|
2016-05-03 18:41:07 -07:00
|
|
|
/**
|
|
|
|
* Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single
|
|
|
|
* value) and returns a value that is safe to use in a browser environment.
|
|
|
|
*/
|
feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
platform-browser. `SecurityContext` communicates what context a value is used
in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
determines the security context for an attribute or property (it turns out
attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
Value*s, i.e. the ability to mark a value as safe and not requiring further
sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
(surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
2016-04-29 16:04:08 -07:00
|
|
|
export function sanitizeStyle(value: string): string {
|
2016-05-03 18:41:07 -07:00
|
|
|
value = String(value); // Make sure it's actually a string.
|
|
|
|
if (value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
|
2016-05-09 16:46:31 +02:00
|
|
|
|
|
|
|
if (assertionsEnabled()) {
|
|
|
|
getDOM().log('WARNING: sanitizing unsafe style value ' + value);
|
|
|
|
}
|
|
|
|
|
feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
platform-browser. `SecurityContext` communicates what context a value is used
in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
determines the security context for an attribute or property (it turns out
attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
Value*s, i.e. the ability to mark a value as safe and not requiring further
sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
(surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
2016-04-29 16:04:08 -07:00
|
|
|
return 'unsafe';
|
|
|
|
}
|