From 810c722413be130e2f8a562b281ae2f19af8ed08 Mon Sep 17 00:00:00 2001 From: Martin Probst Date: Tue, 28 Jun 2016 18:13:46 -0700 Subject: [PATCH] docs(security): point users to docs when sanitization fails. (#9680) --- .../src/security/dom_sanitization_service.ts | 12 ++++++++---- .../platform-browser/src/security/html_sanitizer.ts | 2 +- .../platform-browser/src/security/style_sanitizer.ts | 5 ++++- .../platform-browser/src/security/url_sanitizer.ts | 4 +++- 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts index 2aa369b067..83c0fe52da 100644 --- a/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts +++ b/modules/@angular/platform-browser/src/security/dom_sanitization_service.ts @@ -175,15 +175,18 @@ export class DomSanitizationServiceImpl extends DomSanitizationService { return value.changingThisBreaksApplicationSecurity; } this.checkNotSafeValue(value, 'ResourceURL'); - throw new Error('unsafe value used in a resource URL context'); + throw new Error( + 'unsafe value used in a resource URL context (see http://g.co/ng/security#xss)'); default: - throw new Error(`Unexpected SecurityContext ${ctx}`); + throw new Error(`Unexpected SecurityContext ${ctx} (see http://g.co/ng/security#xss)`); } } private checkNotSafeValue(value: any, expectedType: string) { if (value instanceof SafeValueImpl) { - throw new Error(`Required a safe ${expectedType}, got a ${value.getTypeName()}`); + throw new Error( + `Required a safe ${expectedType}, got a ${value.getTypeName()} ` + + `(see http://g.co/ng/security#xss)`); } } @@ -204,7 +207,8 @@ abstract class SafeValueImpl implements SafeValue { abstract getTypeName(): string; toString() { - return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}`; + return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}` + + ` (see http://g.co/ng/security#xss)`; } } diff --git a/modules/@angular/platform-browser/src/security/html_sanitizer.ts b/modules/@angular/platform-browser/src/security/html_sanitizer.ts index 3f8cdfcc19..543c7bb293 100644 --- a/modules/@angular/platform-browser/src/security/html_sanitizer.ts +++ b/modules/@angular/platform-browser/src/security/html_sanitizer.ts @@ -271,7 +271,7 @@ export function sanitizeHtml(unsafeHtmlInput: string): string { } if (isDevMode() && safeHtml !== unsafeHtmlInput) { - DOM.log('WARNING: sanitizing HTML stripped some content.'); + DOM.log('WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).'); } return safeHtml; diff --git a/modules/@angular/platform-browser/src/security/style_sanitizer.ts b/modules/@angular/platform-browser/src/security/style_sanitizer.ts index 78258c9200..682ff7d8e2 100644 --- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts +++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts @@ -92,7 +92,10 @@ export function sanitizeStyle(value: string): string { return value; // Safe style values. } - if (isDevMode()) getDOM().log('WARNING: sanitizing unsafe style value ' + value); + if (isDevMode()) { + getDOM().log( + `WARNING: sanitizing unsafe style value ${value} (see http://g.co/ng/security#xss).`); + } return 'unsafe'; } diff --git a/modules/@angular/platform-browser/src/security/url_sanitizer.ts b/modules/@angular/platform-browser/src/security/url_sanitizer.ts index dd5a9f9d74..1ff6fe30ea 100644 --- a/modules/@angular/platform-browser/src/security/url_sanitizer.ts +++ b/modules/@angular/platform-browser/src/security/url_sanitizer.ts @@ -50,7 +50,9 @@ export function sanitizeUrl(url: string): string { url = String(url); if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url; - if (isDevMode()) getDOM().log('WARNING: sanitizing unsafe URL value ' + url); + if (isDevMode()) { + getDOM().log(`WARNING: sanitizing unsafe URL value ${url} (see http://g.co/ng/security#xss)`); + } return 'unsafe:' + url; }