docs: Add notes on manual sanitization to security guide (#24176)

Some users have remarked that we don't explain how to manually call
sanitization, so add a few lines on that.

PR Close #24176
This commit is contained in:
Raphaël Jamet 2018-05-29 15:03:48 +02:00 committed by Victor Berchet
parent 2aab1c9dd6
commit 5840a86f98
1 changed files with 10 additions and 4 deletions

View File

@ -127,13 +127,19 @@ tag but keeps safe content such as the text content of the `<script>` tag and th
</figure> </figure>
### Direct use of the DOM APIs and explicit sanitization calls
### Avoid direct use of the DOM APIs
The built-in browser DOM APIs don't automatically protect you from security vulnerabilities. The built-in browser DOM APIs don't automatically protect you from security vulnerabilities.
For example, `document`, the node available through `ElementRef`, and many third-party APIs For example, `document`, the node available through `ElementRef`, and many third-party APIs
contain unsafe methods. Avoid directly interacting with the DOM and instead use Angular contain unsafe methods. In the same way, if you interact with other libraries that manipulate
templates where possible. the DOM, you likely won't have the same automatic sanitization as with Angular interpolations.
Avoid directly interacting with the DOM and instead use Angular templates where possible.
For cases where this is unavoidable, use the built-in Angular sanitization functions.
Sanitize untrusted values with the [DomSanitizer.sanitize](api/platform-browser/DomSanitizer#sanitize)
method and the appropriate `SecurityContext`. That function also accepts values that were
marked as trusted using the `bypassSecurityTrust`... functions, and will not sanitize them,
as [described below](#bypass-security-apis).
### Content security policy ### Content security policy