angular-docs-cn/modules/@angular/platform-browser/src/security/url_sanitizer.ts

import {getDOM} from '../dom/dom_adapter';
import {assertionsEnabled} from '../facade/lang';

/**
 * A pattern that recognizes a commonly useful subset of URLs that are safe.
 *
 * This regular expression matches a subset of URLs that will not cause script
 * execution if used in URL context within a HTML document. Specifically, this
 * regular expression matches if (comment from here on and regex copied from
 * Soy's EscapingConventions):
 * (1) Either a protocol in a whitelist (http, https, mailto or ftp).
 * (2) or no protocol.  A protocol must be followed by a colon. The below
 *     allows that by allowing colons only after one of the characters [/?#].
 *     A colon after a hash (#) must be in the fragment.
 *     Otherwise, a colon after a (?) must be in a query.
 *     Otherwise, a colon after a single solidus (/) must be in a path.
 *     Otherwise, a colon after a double solidus (//) must be in the authority
 *     (before port).
 *
 * The pattern disallows &, used in HTML entity declarations before
 * one of the characters in [/?#]. This disallows HTML entities used in the
 * protocol name, which should never happen, e.g. "h&#116;tp" for "http".
 * It also disallows HTML entities in the first path part of a relative path,
 * e.g. "foo&lt;bar/baz".  Our existing escaping functions should not produce
 * that. More importantly, it disallows masking of a colon,
 * e.g. "javascript&#58;...".
 *
 * This regular expression was taken from the Closure sanitization library.
 */
const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;

/** A pattern that matches safe data URLs. Only matches image and video types. */
const DATA_URL_PATTERN = /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm));base64,[a-z0-9+\/]+=*$/i;

export function sanitizeUrl(url: string): string {
  url = String(url);
  if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url;

  if (assertionsEnabled()) getDOM().log('WARNING: sanitizing unsafe URL value ' + url);

  return 'unsafe:' + url;
}
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`import {getDOM} from '../dom/dom_adapter';`
refactor(imports): simplify paths 2016-05-31 15:22:59 -07:00			`import {assertionsEnabled} from '../facade/lang';`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`/**`
			`* A pattern that recognizes a commonly useful subset of URLs that are safe.`
			`*`
			`* This regular expression matches a subset of URLs that will not cause script`
			`* execution if used in URL context within a HTML document. Specifically, this`
			`* regular expression matches if (comment from here on and regex copied from`
			`* Soy's EscapingConventions):`
			`* (1) Either a protocol in a whitelist (http, https, mailto or ftp).`
			`* (2) or no protocol. A protocol must be followed by a colon. The below`
			`* allows that by allowing colons only after one of the characters [/?#].`
			`* A colon after a hash (#) must be in the fragment.`
			`* Otherwise, a colon after a (?) must be in a query.`
			`* Otherwise, a colon after a single solidus (/) must be in a path.`
			`* Otherwise, a colon after a double solidus (//) must be in the authority`
			`* (before port).`
			`*`
			`* The pattern disallows &, used in HTML entity declarations before`
			`* one of the characters in [/?#]. This disallows HTML entities used in the`
			`* protocol name, which should never happen, e.g. "http" for "http".`
			`* It also disallows HTML entities in the first path part of a relative path,`
			`* e.g. "foo<bar/baz". Our existing escaping functions should not produce`
			`* that. More importantly, it disallows masking of a colon,`
			`* e.g. "javascript:...".`
			`*`
			`* This regular expression was taken from the Closure sanitization library.`
			`*/`
			`const SAFE_URL_PATTERN = /^(?:(?:https?\|mailto\|ftp\|tel\|file):\|[^&:/?#]*(?:[/?#]\|$))/gi;`

feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00			`/** A pattern that matches safe data URLs. Only matches image and video types. */`
			`const DATA_URL_PATTERN = /^data:(?:image\/(?:bmp\|gif\|jpeg\|jpg\|png\|tiff\|webp)\|video\/(?:mpeg\|mp4\|ogg\|webm));base64,[a-z0-9+\/]+=*$/i;`

feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`export function sanitizeUrl(url: string): string {`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`url = String(url);`
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00			`if (url.match(SAFE_URL_PATTERN) \|\| url.match(DATA_URL_PATTERN)) return url;`

			`if (assertionsEnabled()) getDOM().log('WARNING: sanitizing unsafe URL value ' + url);`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`return 'unsafe:' + url;`
			`}`