| 
									
										
										
										
											2016-06-23 09:47:54 -07:00
										 |  |  | /** | 
					
						
							|  |  |  |  * @license | 
					
						
							|  |  |  |  * Copyright Google Inc. All Rights Reserved. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * Use of this source code is governed by an MIT-style license that can be | 
					
						
							|  |  |  |  * found in the LICENSE file at https://angular.io/license
 | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-03-01 17:14:01 -08:00
										 |  |  | import {isDevMode} from '../application_ref'; | 
					
						
							| 
									
										
										
										
											2016-05-09 16:46:31 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
											
										 
											2016-04-29 16:04:08 -07:00
										 |  |  | /** | 
					
						
							|  |  |  |  * A pattern that recognizes a commonly useful subset of URLs that are safe. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This regular expression matches a subset of URLs that will not cause script | 
					
						
							|  |  |  |  * execution if used in URL context within a HTML document. Specifically, this | 
					
						
							|  |  |  |  * regular expression matches if (comment from here on and regex copied from | 
					
						
							|  |  |  |  * Soy's EscapingConventions): | 
					
						
							|  |  |  |  * (1) Either a protocol in a whitelist (http, https, mailto or ftp). | 
					
						
							|  |  |  |  * (2) or no protocol.  A protocol must be followed by a colon. The below | 
					
						
							|  |  |  |  *     allows that by allowing colons only after one of the characters [/?#]. | 
					
						
							|  |  |  |  *     A colon after a hash (#) must be in the fragment. | 
					
						
							|  |  |  |  *     Otherwise, a colon after a (?) must be in a query. | 
					
						
							|  |  |  |  *     Otherwise, a colon after a single solidus (/) must be in a path. | 
					
						
							|  |  |  |  *     Otherwise, a colon after a double solidus (//) must be in the authority
 | 
					
						
							|  |  |  |  *     (before port). | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * The pattern disallows &, used in HTML entity declarations before | 
					
						
							|  |  |  |  * one of the characters in [/?#]. This disallows HTML entities used in the | 
					
						
							|  |  |  |  * protocol name, which should never happen, e.g. "http" for "http". | 
					
						
							|  |  |  |  * It also disallows HTML entities in the first path part of a relative path, | 
					
						
							|  |  |  |  * e.g. "foo<bar/baz".  Our existing escaping functions should not produce | 
					
						
							|  |  |  |  * that. More importantly, it disallows masking of a colon, | 
					
						
							|  |  |  |  * e.g. "javascript:...". | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * This regular expression was taken from the Closure sanitization library. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-24 16:54:11 +02:00
										 |  |  | /* A pattern that matches safe srcset values */ | 
					
						
							|  |  |  | const SAFE_SRCSET_PATTERN = /^(?:(?:https?|file):|[^&:/?#]*(?:[/?#]|$))/gi; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /** A pattern that matches safe data URLs. Only matches image, video and audio types. */ | 
					
						
							| 
									
										
										
										
											2016-06-08 16:38:52 -07:00
										 |  |  | const DATA_URL_PATTERN = | 
					
						
							| 
									
										
										
										
											2016-06-24 16:54:11 +02:00
										 |  |  |     /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm)|audio\/(?:mp3|oga|ogg|opus));base64,[a-z0-9+\/]+=*$/i; | 
					
						
							| 
									
										
										
										
											2016-05-15 11:44:52 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-03-01 17:14:01 -08:00
										 |  |  | export function _sanitizeUrl(url: string): string { | 
					
						
							| 
									
										
										
										
											2016-05-09 16:46:31 +02:00
										 |  |  |   url = String(url); | 
					
						
							| 
									
										
										
										
											2016-05-15 11:44:52 +02:00
										 |  |  |   if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-28 18:13:46 -07:00
										 |  |  |   if (isDevMode()) { | 
					
						
							| 
									
										
										
										
											2018-03-01 13:16:13 -08:00
										 |  |  |     console.warn(`WARNING: sanitizing unsafe URL value ${url} (see http://g.co/ng/security#xss)`); | 
					
						
							| 
									
										
										
										
											2016-06-28 18:13:46 -07:00
										 |  |  |   } | 
					
						
							| 
									
										
										
										
											2016-05-09 16:46:31 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
											  
											
												feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.
* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).
Based on these hooks:
* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).
`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).
BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***
Reviewers: IgorMinar
Differential Revision: https://reviews.angular.io/D103
											
										 
											2016-04-29 16:04:08 -07:00
										 |  |  |   return 'unsafe:' + url; | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2016-06-24 16:54:11 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | export function sanitizeSrcset(srcset: string): string { | 
					
						
							|  |  |  |   srcset = String(srcset); | 
					
						
							| 
									
										
										
										
											2018-03-01 17:14:01 -08:00
										 |  |  |   return srcset.split(',').map((srcset) => _sanitizeUrl(srcset.trim())).join(', '); | 
					
						
							| 
									
										
										
										
											2016-06-24 16:54:11 +02:00
										 |  |  | } |