From 3009be8d6e964a3612793f38fbc0d185fb0e8a8a Mon Sep 17 00:00:00 2001 From: Martin Probst Date: Wed, 17 Aug 2016 13:42:18 -0700 Subject: [PATCH] docs(security): mark the various DomAdapters as unsafe. (#10868) Part of #8511. --- .../platform-browser/src/browser/browser_adapter.ts | 3 +++ .../platform-browser/src/browser/generic_browser_adapter.ts | 3 +++ modules/@angular/platform-browser/src/dom/dom_adapter.ts | 3 +++ modules/@angular/platform-server/src/parse5_adapter.ts | 6 ++++++ 4 files changed, 15 insertions(+) diff --git a/modules/@angular/platform-browser/src/browser/browser_adapter.ts b/modules/@angular/platform-browser/src/browser/browser_adapter.ts index ad25ace62f..62a907777c 100644 --- a/modules/@angular/platform-browser/src/browser/browser_adapter.ts +++ b/modules/@angular/platform-browser/src/browser/browser_adapter.ts @@ -64,6 +64,9 @@ var _chromeNumKeyPadMap = { /** * A `DomAdapter` powered by full browser DOM APIs. + * + * @security Tread carefully! Interacting with the DOM directly is dangerous and + * can introduce XSS risks. */ /* tslint:disable:requireParameterType */ export class BrowserDomAdapter extends GenericBrowserDomAdapter { diff --git a/modules/@angular/platform-browser/src/browser/generic_browser_adapter.ts b/modules/@angular/platform-browser/src/browser/generic_browser_adapter.ts index 9ea45e9286..b0480e651c 100644 --- a/modules/@angular/platform-browser/src/browser/generic_browser_adapter.ts +++ b/modules/@angular/platform-browser/src/browser/generic_browser_adapter.ts @@ -14,6 +14,9 @@ import {isFunction, isPresent} from '../facade/lang'; /** * Provides DOM operations in any browser environment. + * + * @security Tread carefully! Interacting with the DOM directly is dangerous and + * can introduce XSS risks. */ export abstract class GenericBrowserDomAdapter extends DomAdapter { private _animationPrefix: string = null; diff --git a/modules/@angular/platform-browser/src/dom/dom_adapter.ts b/modules/@angular/platform-browser/src/dom/dom_adapter.ts index 226bd92159..21b54c46b9 100644 --- a/modules/@angular/platform-browser/src/dom/dom_adapter.ts +++ b/modules/@angular/platform-browser/src/dom/dom_adapter.ts @@ -29,6 +29,9 @@ export function setRootDomAdapter(adapter: DomAdapter) { /* tslint:disable:requireParameterType */ /** * Provides DOM operations in an environment-agnostic way. + * + * @security Tread carefully! Interacting with the DOM directly is dangerous and + * can introduce XSS risks. */ export abstract class DomAdapter { public resourceLoaderType: Type = null; diff --git a/modules/@angular/platform-server/src/parse5_adapter.ts b/modules/@angular/platform-server/src/parse5_adapter.ts index 24f29c366d..91b9020fa3 100644 --- a/modules/@angular/platform-server/src/parse5_adapter.ts +++ b/modules/@angular/platform-server/src/parse5_adapter.ts @@ -35,6 +35,12 @@ function _notImplemented(methodName: any /** TODO #9100 */) { } /* tslint:disable:requireParameterType */ +/** + * A `DomAdapter` powered by the `parse5` NodeJS module. + * + * @security Tread carefully! Interacting with the DOM directly is dangerous and + * can introduce XSS risks. + */ export class Parse5DomAdapter extends DomAdapter { static makeCurrent() { parser = new parse5.Parser(parse5.TreeAdapters.htmlparser2);