iSharkFly-Docs/angular-docs-cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular-docs-cn/packages/core/src/sanitization/sanitization.ts

226 lines
8.2 KiB
TypeScript
Raw Normal View History

feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
/**
* @license
* Copyright Google Inc. All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.io/license
*/
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
import {SANITIZER} from '../render3/interfaces/view';
import {getLView} from '../render3/state';
refactor(ivy): split util functions into different files (#28382) Google3 detected circular references here, so splitting up this rather hodge-podge list of functions into slightly better organizational units. PR Close #28382
2019-02-20 14:21:20 -08:00
import {renderStringify} from '../render3/util/misc_utils';
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
import {BypassType, allowSanitizationBypassAndThrow, unwrapSafeValue} from './bypass';
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
import {_sanitizeHtml as _sanitizeHtml} from './html_sanitizer';
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
import {Sanitizer} from './sanitizer';
import {SecurityContext} from './security';
refactor(ivy): enable sanitization support for the new styling algorithm (#30667) This patch is one of the final patches to refactor the styling algorithm to be more efficient, performant and less complex. This patch enables sanitization support for map-based and prop-based style bindings. PR Close #30667
2019-05-24 13:49:57 -07:00
import {StyleSanitizeFn, StyleSanitizeMode, _sanitizeStyle as _sanitizeStyle} from './style_sanitizer';
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
import {_sanitizeUrl as _sanitizeUrl} from './url_sanitizer';
/**
* An `html` sanitizer which converts untrusted `html` **string** into trusted string by removing
* dangerous content.
*
* This method parses the `html` and locates potentially dangerous content (such as urls and
* javascript) and removes it.
*
* It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustHtml}.
*
* @param unsafeHtml untrusted `html`, typically from the user.
* @returns `html` string which is safe to display to user, because all of the dangerous javascript
* and urls have been removed.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeHtml(unsafeHtml: any): string {
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
const sanitizer = getSanitizer();
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
if (sanitizer) {
return sanitizer.sanitize(SecurityContext.HTML, unsafeHtml) || '';
feat(ivy): support injectable sanitization service (#23809) PR Close #23809
2018-05-09 15:30:16 -07:00
}
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
if (allowSanitizationBypassAndThrow(unsafeHtml, BypassType.Html)) {
return unwrapSafeValue(unsafeHtml);
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
test: improve symbol-extractor test by ignoring $1 suffix (#28098) PR Close #28098
2019-01-12 00:59:48 -08:00
return _sanitizeHtml(document, renderStringify(unsafeHtml));
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
/**
* A `style` sanitizer which converts untrusted `style` **string** into trusted string by removing
* dangerous content.
*
* This method parses the `style` and locates potentially dangerous content (such as urls and
* javascript) and removes it.
*
* It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustStyle}.
*
* @param unsafeStyle untrusted `style`, typically from the user.
* @returns `style` string which is safe to bind to the `style` properties, because all of the
* dangerous javascript and urls have been removed.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeStyle(unsafeStyle: any): string {
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
const sanitizer = getSanitizer();
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
if (sanitizer) {
return sanitizer.sanitize(SecurityContext.STYLE, unsafeStyle) || '';
feat(ivy): support injectable sanitization service (#23809) PR Close #23809
2018-05-09 15:30:16 -07:00
}
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
if (allowSanitizationBypassAndThrow(unsafeStyle, BypassType.Style)) {
return unwrapSafeValue(unsafeStyle);
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
test: improve symbol-extractor test by ignoring $1 suffix (#28098) PR Close #28098
2019-01-12 00:59:48 -08:00
return _sanitizeStyle(renderStringify(unsafeStyle));
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
/**
* A `url` sanitizer which converts untrusted `url` **string** into trusted string by removing
* dangerous
* content.
*
* This method parses the `url` and locates potentially dangerous content (such as javascript) and
* removes it.
*
* It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustUrl}.
*
* @param unsafeUrl untrusted `url`, typically from the user.
* @returns `url` string which is safe to bind to the `src` properties such as `<img src>`, because
* all of the dangerous javascript has been removed.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeUrl(unsafeUrl: any): string {
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
const sanitizer = getSanitizer();
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
if (sanitizer) {
return sanitizer.sanitize(SecurityContext.URL, unsafeUrl) || '';
feat(ivy): support injectable sanitization service (#23809) PR Close #23809
2018-05-09 15:30:16 -07:00
}
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
if (allowSanitizationBypassAndThrow(unsafeUrl, BypassType.Url)) {
return unwrapSafeValue(unsafeUrl);
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
test: improve symbol-extractor test by ignoring $1 suffix (#28098) PR Close #28098
2019-01-12 00:59:48 -08:00
return _sanitizeUrl(renderStringify(unsafeUrl));
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
/**
* A `url` sanitizer which only lets trusted `url`s through.
*
* This passes only `url`s marked trusted by calling {@link bypassSanitizationTrustResourceUrl}.
*
* @param unsafeResourceUrl untrusted `url`, typically from the user.
* @returns `url` string which is safe to bind to the `src` properties such as `<img src>`, because
* only trusted `url`s have been allowed to pass.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeResourceUrl(unsafeResourceUrl: any): string {
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
const sanitizer = getSanitizer();
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
if (sanitizer) {
return sanitizer.sanitize(SecurityContext.RESOURCE_URL, unsafeResourceUrl) || '';
feat(ivy): support injectable sanitization service (#23809) PR Close #23809
2018-05-09 15:30:16 -07:00
}
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
if (allowSanitizationBypassAndThrow(unsafeResourceUrl, BypassType.ResourceUrl)) {
return unwrapSafeValue(unsafeResourceUrl);
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
throw new Error('unsafe value used in a resource URL context (see http://g.co/ng/security#xss)');
}
/**
* A `script` sanitizer which only lets trusted javascript through.
*
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
* This passes only `script`s marked trusted by calling {@link
* bypassSanitizationTrustScript}.
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*
* @param unsafeScript untrusted `script`, typically from the user.
* @returns `url` string which is safe to bind to the `<script>` element such as `<img src>`,
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
* because only trusted `scripts` have been allowed to pass.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeScript(unsafeScript: any): string {
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
const sanitizer = getSanitizer();
refactor(ivy): treate LView as the primary global state (#27282) - rename `LViewData` to `LView` (to be consistent with `TView`) - Remove `getRenderer`, `getRendererFactory`, `getTview`, `getCurrentQueries`, PR Close #27282
2018-11-21 21:14:06 -08:00
if (sanitizer) {
return sanitizer.sanitize(SecurityContext.SCRIPT, unsafeScript) || '';
feat(ivy): support injectable sanitization service (#23809) PR Close #23809
2018-05-09 15:30:16 -07:00
}
perf(core): make sanitization tree-shakable in Ivy mode (#31934) In VE the `Sanitizer` is always available in `BrowserModule` because the VE retrieves it using injection. In Ivy the injection is optional and we have instructions instead of component definition arrays. The implication of this is that in Ivy the instructions can pull in the sanitizer only when they are working with a property which is known to be unsafe. Because the Injection is optional this works even if no Sanitizer is present. So in Ivy we first use the sanitizer which is pulled in by the instruction, unless one is available through the `Injector` then we use that one instead. This PR does few things: 1) It makes `Sanitizer` optional in Ivy. 2) It makes `DomSanitizer` tree shakable. 3) It aligns the semantics of Ivy `Sanitizer` with that of the Ivy sanitization rules. 4) It refactors `DomSanitizer` to use same functions as Ivy sanitization for consistency. PR Close #31934
2019-07-31 13:15:50 -07:00
if (allowSanitizationBypassAndThrow(unsafeScript, BypassType.Script)) {
return unwrapSafeValue(unsafeScript);
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
}
throw new Error('unsafe value used in a script context');
}
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
/**
* Detects which sanitizer to use for URL property, based on tag name and prop name.
*
* The rules are based on the RESOURCE_URL context config from
* `packages/compiler/src/schema/dom_security_schema.ts`.
* If tag and prop names don't match Resource URL schema, use URL sanitizer.
*/
export function getUrlSanitizer(tag: string, prop: string) {
if ((prop === 'src' && (tag === 'embed' || tag === 'frame' || tag === 'iframe' ||
tag === 'media' || tag === 'script')) ||
(prop === 'href' && (tag === 'base' || tag === 'link'))) {
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
return ɵɵsanitizeResourceUrl;
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
}
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
return ɵɵsanitizeUrl;
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
}
/**
* Sanitizes URL, selecting sanitizer function based on tag and property names.
*
* This function is used in case we can't define security context at compile time, when only prop
* name is available. This happens when we generate host bindings for Directives/Components. The
* host element is unknown at compile time, so we defer calculation of specific sanitizer to
* runtime.
*
* @param unsafeUrl untrusted `url`, typically from the user.
* @param tag target element tag name.
* @param prop name of the property that contains the value.
* @returns `url` string which is safe to bind.
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
*/
refactor(ivy): Move instructions back to ɵɵ (#30546) There is an encoding issue with using delta `Δ`, where the browser will attempt to detect the file encoding if the character set is not explicitly declared on a `<script/>` tag, and Chrome will find the `Δ` character and decide it is window-1252 encoding, which misinterprets the `Δ` character to be some other character that is not a valid JS identifier character So back to the frog eyes we go. ``` __ /ɵɵ\ ( -- ) - I am ineffable. I am forever. _/ \_ / \ / \ == == == ``` PR Close #30546
2019-05-17 18:49:21 -07:00
export function ɵɵsanitizeUrlOrResourceUrl(unsafeUrl: any, tag: string, prop: string): any {
fix(ivy): sanitization for Host Bindings (#27939) This commit adds sanitization for `elementProperty` and `elementAttribute` instructions used in `hostBindings` function, similar to what we already have in the `template` function. Main difference is the fact that for some attributes (like "href" and "src") we can't define which SecurityContext they belong to (URL vs RESOURCE_URL) in Compiler, since information in Directive selector may not be enough to calculate it. In order to resolve the problem, Compiler injects slightly different sanitization function which detects proper Security Context at runtime. PR Close #27939
2019-01-03 10:04:06 -08:00
return getUrlSanitizer(tag, prop)(unsafeUrl);
}
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
/**
feat(ivy): bridge compile instructions to include sanitization helpers (#24938) PR Close #24938
2018-07-11 10:58:18 -07:00
* The default style sanitizer will handle sanitization for style properties by
* sanitizing any CSS property that can include a `url` value (usually image-based properties)
refactor(ivy): prefix all generated instructions (#29692) - Updates all instructions to be prefixed with the Greek delta symbol PR Close #29692
2019-04-04 11:41:52 -07:00
*
* @publicApi
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540
2018-03-01 17:14:01 -08:00
*/
refactor(ivy): enable sanitization support for the new styling algorithm (#30667) This patch is one of the final patches to refactor the styling algorithm to be more efficient, performant and less complex. This patch enables sanitization support for map-based and prop-based style bindings. PR Close #30667
2019-05-24 13:49:57 -07:00
export const ɵɵdefaultStyleSanitizer =
(function(prop: string, value: string|null, mode?: StyleSanitizeMode): string | boolean | null {
mode = mode || StyleSanitizeMode.ValidateAndSanitize;
let doSanitizeValue = true;
if (mode & StyleSanitizeMode.ValidateProperty) {
doSanitizeValue = prop === 'background-image' || prop === 'background' ||
prop === 'border-image' || prop === 'filter' || prop === 'list-style' ||
prop === 'list-style-image' || prop === 'clip-path';
}
if (mode & StyleSanitizeMode.SanitizeOnly) {
return doSanitizeValue ? ɵɵsanitizeStyle(value) : value;
} else {
return doSanitizeValue;
}
} as StyleSanitizeFn);
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
fix(ivy): throw on bindings to unknown properties (#28537) This commit adds a devMode-only check which will throw if a user attempts to bind a property that does not match a directive input or a known HTML property. Example: ``` <div [unknownProp]="someValue"></div> ``` The above will throw because "unknownProp" is not a known property of HTMLDivElement. This check is similar to the check executed in View Engine during template parsing, but occurs at runtime instead of compile-time. Note: This change uncovered an existing bug with host binding inheritance, so some Material tests had to be turned off. They will be fixed in an upcoming PR. PR Close #28537
2019-02-04 21:42:55 -08:00
export function validateAgainstEventProperties(name: string) {
fix(ivy): validate props and attrs with "on" prefix at runtime (#28054) Prior to this change we performed prop and attr name validation at compile time, which failed in case a given prop/attr is an input to a Directive (thus should not be a subject to this check). Since Directive matching in Ivy happens at runtime, the corresponding checks are now moved to runtime as well. PR Close #28054
2019-01-10 13:34:39 -08:00
if (name.toLowerCase().startsWith('on')) {
const msg = `Binding to event property '${name}' is disallowed for security reasons, ` +
`please use (${name.slice(2)})=...` +
`\nIf '${name}' is a directive input, make sure the directive is imported by the` +
` current module.`;
throw new Error(msg);
}
}
fix(ivy): throw on bindings to unknown properties (#28537) This commit adds a devMode-only check which will throw if a user attempts to bind a property that does not match a directive input or a known HTML property. Example: ``` <div [unknownProp]="someValue"></div> ``` The above will throw because "unknownProp" is not a known property of HTMLDivElement. This check is similar to the check executed in View Engine during template parsing, but occurs at runtime instead of compile-time. Note: This change uncovered an existing bug with host binding inheritance, so some Material tests had to be turned off. They will be fixed in an upcoming PR. PR Close #28537
2019-02-04 21:42:55 -08:00
export function validateAgainstEventAttributes(name: string) {
fix(ivy): validate props and attrs with "on" prefix at runtime (#28054) Prior to this change we performed prop and attr name validation at compile time, which failed in case a given prop/attr is an input to a Directive (thus should not be a subject to this check). Since Directive matching in Ivy happens at runtime, the corresponding checks are now moved to runtime as well. PR Close #28054
2019-01-10 13:34:39 -08:00
if (name.toLowerCase().startsWith('on')) {
const msg = `Binding to event attribute '${name}' is disallowed for security reasons, ` +
`please use (${name.slice(2)})=...`;
throw new Error(msg);
}
}
fix(ivy): Implement remaining methods for DebugNode (#27387) PR Close #27387
2018-11-28 15:54:38 -08:00
function getSanitizer(): Sanitizer|null {
const lView = getLView();
return lView && lView[SANITIZER];
refactor(core): remove duplicate check in `defaultStyleSanitizer` (#26947) PR Close #26947
2019-01-22 13:15:10 +02:00
}
Reference in New Issue Copy Permalink